Skip to main content
SpringerLink
Log in

Anonymous Counting Tokens

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2023 (ASIACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14439))

Abstract

We introduce a new primitive called anonymous counting tokens (ACTs) which allows clients to obtain blind signatures or MACs (aka tokens) on messages of their choice, while at the same time enabling issuers to enforce rate limits on the number of tokens that a client can obtain for each message. Our constructions enforce that each client will be able to obtain only one token per message and we show a generic transformation to support other rate limiting as well. We achieve this new property while maintaining the unforgeability and unlinkability properties required for anonymous tokens schemes. We present four ACT constructions with various trade-offs for their efficiency and underlying security assumptions. One construction uses factorization-based primitives and a cyclic group. It is secure in the random oracle model under the q-DDHI assumption (in a cyclic group) and the DCR assumption. Our three other constructions use bilinear maps: one is secure in the standard model under q-DDHI and SXDH, one is secure in the random oracle model under SXDH, and the most efficient of the three is secure in the random oracle model and generic bilinear group model.

F. Benhamouda—Work done while employed at Algorand Foundation, prior to joining Amazon.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Contrary to [BB04], we use a decisional assumption instead of the computational q-SDH because we want pseudorandomness and not unpredictability. Contrary to [DY05], we have the PRF value in \(\mathbb {G}_1\) instead of \(\mathbb {G}_T\) and our assumption is thus q-DDHI instead of q-DBDHI, and we do not need to have a bilinear map. Appendix A of Miao et al. [MPR+20] shows the proof under q-DDHI. The only difference with our case is that we allow the adversary to see \(\textsf{pk}= \textsf{u}\cdot \textsf{G}\), which can easily be simulated the same way as in [DY05]. Simulating \(\textsf{pk}= \textsf{u}\cdot \textsf{G}\) is why we rely on q-DDHI instead of just \((q-1)\)-DDHI as would [MPR+20] require.

  2. 2.

    Recall this is using additive notation for \(\mathbb {Z}^*_{N^2}\). In usual multiplicative notation, this corresponds to: \(\textsf{G}= \textsf{R}^{2N} \bmod N^2\).

  3. 3.

    This PRF is used for the rate limitation of the client. VOPRF does not evaluate this PRF but rather evaluates \(\mathcal {F}\) defined in Sect. 4.

  4. 4.

    Note that when called from the ACT, \(\textsf{msg}\) will actually be a hash of some message \(\textsf{H}(\textsf{msg})\).

  5. 5.

    Actually the challenge c can be reduced to \(\lambda \) bits while keeping the security of the Fiat-Shamir transform.

References

  1. Attema, T., Fehr, S., Klooß, M.: Fiat-Shamir transformation of multi-round interactive proofs. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part I. LNCS, vol. 13747, pp. 113–142. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22318-1_5

    Chapter  Google Scholar 

  2. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7

    Chapter  Google Scholar 

  3. Barker, E.: Recommendation for key management, part 1: General, 2016-01-28 (2016)

    Google Scholar 

  4. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4

    Chapter  Google Scholar 

  5. Bell, J.H., Bonawitz, K.A., Gascón, A., Lepoint, T., Raykova, M.: Secure single-server aggregation with (poly)logarithmic overhead. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1253–1269. ACM Press, November 2020

    Google Scholar 

  6. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)

    Article  Google Scholar 

  7. Bonawitz, K., et al.: Practical secure aggregation for privacy-preserving machine learning. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1175–1191. ACM Press, October/November 2017

    Google Scholar 

  8. Bowe, S.: Bls12-381: New zk-snark elliptic curve construction, March 2017. https://electriccoin.co/blog/new-snark-curve/

  9. Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33

    Chapter  Google Scholar 

  10. Benhamouda, F., Raykova, M., Seth, K.: Anonymous counting tokens. Cryptology ePrint Archive, Paper 2023/320 (2023). https://eprint.iacr.org/2023/320

  11. Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19

    Chapter  Google Scholar 

  12. Chase, M., Durak, F.B., Vaudenay, S.: Anonymous tokens with stronger metadata bit hiding from algebraic MACs. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 418–449. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_14

    Chapter  Google Scholar 

  13. Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18

    Chapter  Google Scholar 

  14. Cramer, R.: Modular design of secure yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1997)

    Google Scholar 

  15. Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_8

    Chapter  Google Scholar 

  16. Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G., Valsorda, F.: Privacy pass: bypassing internet challenges anonymously. PoPETs 2018(3), 164–180 (2018)

    Article  Google Scholar 

  17. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_28

    Chapter  Google Scholar 

  18. Escala, A., Groth, J.: Fine-tuning Groth-Sahai proofs. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 630–649. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_36

    Chapter  Google Scholar 

  19. Fuchsbauer, G., Gay, R.: Weakly secure equivalence-class signatures from standard assumptions. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 153–183. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_6

    Chapter  Google Scholar 

  20. Fuchsbauer, G., Hanser, C., Slamanig, D.: Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. J. Cryptol. 32(2), 498–546 (2019)

    Article  MathSciNet  Google Scholar 

  21. Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052225

    Chapter  Google Scholar 

  22. Fiat, A., Shamir, A.: How To prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  23. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 519–535. USENIX Association, August 2021

    Google Scholar 

  24. Graney, K.: Privacy Sandbox k-anonymity Server (2022). https://github.com/WICG/turtledove/blob/main/FLEDGE_k_anonymity_server.md#privacy-enhancements-we-are-exploring

  25. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24

    Chapter  Google Scholar 

  26. Hendrickson, S., Iyengar, J., Pauly, T., Valdez, S., Wood, C.A.: Rate-Limited Token Issuance Protocol (2022). https://datatracker.ietf.org/doc/draft-privacypass-rate-limit-tokens/

  27. Hanzlik, L., Slamanig, D.: With a little help from my friends: constructing practical anonymous credentials. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2004–2023. ACM Press, November 2021

    Google Scholar 

  28. Jutla, C.S., Roy, A.: Improved structure preserving signatures under standard bilinear assumptions. In: Fehr, S. (ed.) PKC 2017, Part II. LNCS, vol. 10175, pp. 183–209. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_7

    Chapter  Google Scholar 

  29. Kreuter, B., Lepoint, T., Orrù, M., Raykova, M.: Anonymous tokens with private metadata bit. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 308–336. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_11

    Chapter  Google Scholar 

  30. Miao, P., Patel, S., Raykova, M., Seth, K., Yung, M.: Two-sided malicious security for private intersection-sum with cardinality. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 3–33. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_1

    Chapter  Google Scholar 

  31. Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_23

    Chapter  Google Scholar 

  32. Oded, G.: Foundations of Cryptography: Volume 2, Basic Applications, 1st edn. Cambridge University Press, Cambridge (2009)

    Google Scholar 

  33. Silde, T., Strand, M.: Anonymous tokens with public metadata and applications to private contact tracing. In: Eyal, I., Garay, J.A. (eds.) FC 2022. LNCS, vol. 13411, pp. 179–199. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-18283-9_9

    Chapter  Google Scholar 

  34. Tyagi, N., Celi, S., Ristenpart, T., Sullivan, N., Tessaro, S., Wood, C.A.: A fast and simple partially oblivious PRF, with applications. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 674–705. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_23

Download references

Author information

Authors and Affiliations

  1. Amazon Web Services, Seattle, USA

    Fabrice Benhamouda

  2. Google, Menlo Park, USA

    Mariana Raykova & Karn Seth

Authors
  1. Fabrice Benhamouda
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mariana Raykova
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Karn Seth
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mariana Raykova .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jian Guo

  2. Monash University, Melbourne, VIC, Australia

    Ron Steinfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Benhamouda, F., Raykova, M., Seth, K. (2023). Anonymous Counting Tokens. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14439. Springer, Singapore. https://doi.org/10.1007/978-981-99-8724-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8724-5_8

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8723-8

  • Online ISBN: 978-981-99-8724-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation