Abstract
Several anonymous authentication schemes allow servers to revoke a misbehaving user's ability to make future accesses. Traditionally, these schemes have relied on powerful Trusted Third Parties (TTPs) capable of deanonymizing (or linking) users' connections. Such TTPs are undesirable because users' anonymity is not guaranteed, and users must trust them to judge misbehaviors fairly. Recent schemes such as Blacklistable Anonymous Credentials (BLAC) and Enhanced Privacy ID (EPID) support “privacy-enhanced revocation”— servers can revoke misbehaving users without a TTP's involvement, and without learning the revoked users' identities.
In BLAC and EPID, however, the computation required for authentication at the server is linear in the size (L) of the revocation list, which is impractical as the size approaches thousands of entries. We propose PEREA, a new anonymous authentication scheme for which this bottleneck computation is independent of the size of the revocation list. Instead, the time complexity of authentication is linear in the size of a revocation window K ≪ L, the number of subsequent authentications before which a user's misbehavior must be recognized if the user is to be revoked. We extend PEREA to support more complex revocation policies that take the severity of misbehaviors into account. Users can authenticate anonymously if their naughtiness, i.e., the sum of the severities of their blacklisted misbehaviors, is below a certain naughtiness threshold. We call our extension PEREA-Naughtiness. We prove the security of our constructions, and validate their efficiency as compared to BLAC analytically and quantitatively.
- Ateniese, G., Camenisch, J., Joye, M., and Tsudik, G. 2000. A practical and provably secure coalitionresistant group signature scheme. In Proceedings of the Annual Cryptology Conference (CRYPTO). Lecture Notes in Computer Science, vol. 1880, Springer, 255--270. Google ScholarDigital Library
- Ateniese, G., Song, D. X., and Tsudik, G. 2002. Quasi-efficient revocation in group signatures. In Proceedings of the International Conference on Financial Cryptography. Lecture Notes in Computer Science, vol. 2357, Springer, 183--197. Google ScholarDigital Library
- Ateniese, G. and Tsudik, G. 1999. Some open issues and new directions in group signatures. In Proceedings of the International Conference on Financial Cryptography. M. K. Franklin, Ed., Lecture Notes in Computer Science, vol. 1648, Springer, 196--211. Google ScholarDigital Library
- Bari, N. and Pfitzmann, B. 1997. Collision-free accumulators and fail-stop signature schemes without trees. In Proceedings of the Annual Cryptology Conference (EUROCRYPT). 480--494. Google ScholarDigital Library
- Boneh, D. 1998. The decision Diffie-Hellman problem. In Proceedings of the 3rd International Symposium on Algorithmic Number Theory(ANTS). J. Buhler, Ed., Lecture Notes in Computer Science, vol. 1423, Springer, 48--63. Google ScholarDigital Library
- Boneh, D., Boyen, X., and Shacham, H. 2004. Short group signatures. In Proceedings of the Annual Cryptology Conference (CRYPTO). M. K Franklin, Ed., Lecture Notes in Computer Science, vol. 3152, Springer, 41--55.Google Scholar
- Boneh, D. and Shacham, H. 2004. Group signatures with verifier-local revocation. In Proceedings of the Conference on Computer and Communications Security. ACM, 168--177. Google ScholarDigital Library
- Boudot, F. 2000. Efficient proofs that a committed number lies in an interval. In Proceedings of the Annual Cryptology Conference (EUROCRYPT). 431--444. Google ScholarDigital Library
- Brickell, E. and Li, J. 2007. Enhanced privacy ID: A direct anonymous attestation scheme with enhanced revocation capabilities. In Proceedings of the Workshop on Privacy in the Electronic Society, P. Ning and T. Yu, Eds., ACM, 21--30. Google ScholarDigital Library
- Camenisch, J. 1998. Group signature schemes and payment systems based on the discrete logarithm problem. Ph.D. thesis, ETH Zurich. (Reprint as vol. 2 of ETH Series in Information Security and Cryptography. Hartung-Gorre Verlag, Konstanz, 1998.)Google Scholar
- Camenisch, J., Chaabouni, R., and Shelat, A. 2008. Efficient protocols for set membership and range proofs. In Proceedings of the Annual Cryptology Conference (ASIACRYPT). J. Pieprzyk, Ed., Lecture Notes in Computer Science, vol. 5350, Springer, 234--252. Google ScholarDigital Library
- Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A., and Meyerovich, M. 2006. How to win the clonewars: Efficient periodic n-times anonymous authentication. In Proceedings of the ACM Conference on Computer and Communications Security. 201--210. Google ScholarDigital Library
- Camenisch, J. and Lysyanskaya, A. 2002a. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Proceedings of the Annual Cryptology Conference (CRYPTO). Lecture Notes in Computer Science, vol. 2442, Springer, 61--76. Google ScholarDigital Library
- Camenisch, J. and Lysyanskaya, A. 2002b. A signature scheme with efficient protocols. In Proceedings of the Conference on Security in Communication Networks. Lecture Notes in Computer Science, vol. 2576, Springer, 268--289. Google ScholarDigital Library
- Camenisch, J. and Stadler, M. 1997. Efficient group signature schemes for large groups (extended abstract). In Proceedings of the Annual Cryptology Conference (CRYPTO'7). Lecture Notes in Computer Science, vol. 1294, Springer, 410--424. Google ScholarDigital Library
- Canetti, R. 2001. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of the Annual Symposium on Foundations of Computer Science (FOCS). 136--145. Google ScholarDigital Library
- Chaum, D. 1982. Blind signatures for untraceable payments. In Proceedings of the Annual Cryptology Conference (CRYPTO). 199--203.Google Scholar
- Chaum, D. and van Heyst, E. 1991. Group signatures. In Proceedings of the Annual Cryptology Conference (EUROCRYPT). 257--265. Google ScholarDigital Library
- Cramer, R., DamgÅrd, I., and Schoenmakers, B. 1994. Proofs of partial knowledge and simplified design of witness hiding protocols. In Proceedings of the Annual Cryptology Conference (CRYPTO). Y Desmedt, Ed., Lecture Notes in Computer Science, vol. 839, Springer, 174--187. Google ScholarDigital Library
- Dingledine, R., Mathewson, N., and Syverson, P. 2004. Tor: The second-generation Onion router. In Proceedings of the Usenix Security Symposium. 303--320. Google ScholarDigital Library
- Dusart, P. 1999. The kth prime is greater than k(ln k+ln ln k-1) for k ≥ 2. Math Computat. 68, 411--415. Google ScholarDigital Library
- Fujisaki, E. and Okamoto, T. 1997. Statistical zero knowledge protocols to prove modular polynomial relations. In Proceedings of the Annual Cryptology Conference (CRYPTO'7). Lecture Notes in Computer Science, vol. 1294, Springer. 16--30. Google ScholarDigital Library
- Goldreich, O. and Krawczyk, H. 1996. On the composition of zero-knowledge proof systems. SIAM J. Comput. 25, 1, 169--192. Google ScholarDigital Library
- Goldwasser, S., Micali, S., and Rackoff, C. 1989. The knowledge complexity of interactive proof systems. SIAM J. Comput. 18, 1, 186--208. Google ScholarDigital Library
- Henry, R., Henry, K., and Goldberg, I. 2010. Making a Nymbler Nymble using VERBS. In Proceedings of the International Symposium on Privacy Enhancing Technologies. M. J. Atallah and N. J. Hopper, Eds., Lecture Notes in Computer Science, vol. 6205, Springer, 111--129. Google ScholarDigital Library
- Johnson, P. C., Kapadia, A., Tsang, P. P., and Smith, S. W. 2007. Nymble: Anonymous IP-address blocking. In Proceedings of the International Symposium on Privacy Enhancing Technologies. Lecture Notes in Computer Science, vol. 4776, Springer, 113--133. Google ScholarDigital Library
- Kiayias, A., Tsiounis, Y, and Yung, M. 2004. Traceable signatures. In Proceedings of the Annual Cryptology Conference (EUROCRYPT). Lecture Notes in Computer Science, vol. 3027, Springer, 571--589.Google ScholarCross Ref
- Li, J., Li, N., and Xue, R. 2007. Universal accumulators with efficient nonmembership proofs. In Proceedings of the 5th International Conference on Applied Cryptography and Network Security. Lecture Notes in Computer Science, vol. 4521, Springer, 253--269. Google ScholarDigital Library
- Lin, Z. and Hopper, N. 2010. Jack: Scalable accumulator-based Nymble system. In Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society (WPES). ACM, New York, NY, 53--62. Google ScholarDigital Library
- Lysyanskaya, A. 2002. Signature schemes and applications to cryptographic protocol design. Ph.D. thesis, Massachusetts Institute of Technology. Google ScholarDigital Library
- Nguyen, L. 2005. Accumulators from bilinear pairings and applications. In Topics in Cryptology: The Cryptographers' Track at the RSA Conference. Lecture Notes in Computer Science, vol. 3376, Springer, 275--292. Google ScholarDigital Library
- Pedersen, T. P. 1991. Non-interactive and information-theoretic secure verifiable secret sharing. In Proceedings of the Annual Cryptology Conference (CRYPTO). J. Feigenbaum, Ed., Lecture Notes in Computer Science, vol. 576, Springer, 129--140. Google ScholarDigital Library
- Teranishi, I., Furukawa, J., and Sako, K. 2004. k-times anonymous authentication (extended abstract). In Proceedings of the Annual Cryptology Conference (ASIACRYPT). Lecture Notes in Computer Science, vol. 3329, Springer, 308--322.Google ScholarCross Ref
- Tsang, P. P., Au, M. H., Kapadia, A., and Smith, S. W. 2007. Blacklistable anonymous credentials: Blocking misbehaving users without TIPs. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). ACM, 72--81. Google ScholarDigital Library
- Tsang, P. P., Au, M. H., Kapadia, A., and Smith, S. W. 2008. PEREA: Towards practical TTP-free revocation in anonymous authentication. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS). ACM, 333--344. Google ScholarDigital Library
- Tsang, P. P., Au, M. H., Kapadia, A., and Smith, S. W. 2010. BLAC: Revoking repeatedly misbehaving anonymous users without relying on TTPs. ACM Trans. Info. Syst. Sec. 13, 39:1--39:33. Google ScholarDigital Library
Index Terms
PEREA: Practical TTP-free revocation of repeatedly misbehaving anonymous users
Recommendations
PEREA: towards practical TTP-free revocation in anonymous authentication
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securitySeveral anonymous authentication schemes allow servers to revoke a misbehaving user's ability to make future accesses. Traditionally, these schemes have relied on powerful TTPs capable of deanonymizing (or linking) users' connections. Recent schemes ...
BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs
Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users ...
Blacklistable anonymous credentials: blocking misbehaving users without ttps
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securitySeveral credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a ...
Comments