Accumulators and U-Prove Revocation
description
Transcript of Accumulators and U-Prove Revocation
![Page 1: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/1.jpg)
Accumulators andU-Prove Revocation
Tolga Acar, IntelSherman S.M. Chow, The Chinese University of Hong KongLan Nguyen, XCG – Microsoft Research
![Page 2: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/2.jpg)
OutlineAccumulators Definitions and Security Anonymous Revocation New schemeU-Prove Overview Revocation methods Revocation with the new accumulatorImplementation and Performance
![Page 3: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/3.jpg)
Accumulator Primitives•Accumulate: Aggregate a set of elements into a single value V.
•Non-Membership (NM) Proof: Prove that an element x is NOT accumulated in V without revealing any info about x.
•Membership Proof: Prove that an element x is accumulated in V without revealing any info about x.
•Efficient Update of V and Proofs’ Witnesses when the accumulated set changes.
![Page 4: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/4.jpg)
Accumulator Security• Member Completeness: x is accumulated ⇒
Member proof accepts.• Member Soundness: x is not accumulated ⇒
Member proof rejects.• NM Completeness: x is not accumulated ⇒
NM proof accepts.• NM Soundness: x is accumulated ⇒ NM
proof rejects.• Information hiding: The proofs should be
Zero-Knowledge or Witness Indistinguishable.
![Page 5: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/5.jpg)
Revoking Anonymous Credentials
For Blacklisting Anonymous Credentials,• Accumulate blacklisted elements in an accumulator
value.• NM Proof proves that an element is not accumulated ⇒ The element is not blacklisted.• NM Proof does not reveal the element⇒ Privacy Protection.
For Whitelisting Anonymous Credentials, it is similar in the opposite way.
![Page 6: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/6.jpg)
Accumulator Scheme – Setup Bilinear pairing e: where and are cyclic multiplicative groups, all of order prime q.
Setup Private Key: Public Key: where
Optionally,
![Page 7: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/7.jpg)
Accumulator Operations•Items to accumulate is a set •Accumulator value •Non-Membership Witness is with
Compute from t
•A new witness for x is computed or updated when a new x‘ is accumulated or an accumulated x’ is removed from the set S
•Similar for Membership Witness
![Page 8: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/8.jpg)
Efficient Accumulator NM ProofComputations are moved from and to efficient • Prove is PoK : • Instead of To reduce pairing• Add to witness• Hide by and , so • PoK :Efficiency gains• Prover needs no pairing• Verifier needs 2 pairings to verify Similar for the Mem Proof.
![Page 9: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/9.jpg)
OutlineAccumulators Definitions and Security Anonymous Revocation New schemeU-Prove Overview Revocation methods Revocation with the new accumulatorImplementation and Performance
![Page 10: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/10.jpg)
U-ProveParticipants: Issuer, User (Prover), Service Provider (Verifier).Issuing Protocol between Issuer and User• User obtains Tokens from Issuer• Token certifies attributes (Driver License, Age >
21,…)Presentation Protocol between User and Service Provider• Users proves certain attributes to Service
Provider• Service Provider learns nothing about other
attributes
![Page 11: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/11.jpg)
U-Prove CryptoIssuing• Each token is a blind signature on a commitment of
attributes • Re-Committing to is like a sealed envelop • Blind Signing is like carbon paper• Extracting from is like opening envelopPresenting• Showing disclose attributes• PoK of committed attributes• Verifying the blind signatureDifferent presentations of the same token are linkable
![Page 12: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/12.jpg)
Revocation in U-ProveFour MethodsID Exposure. It breaks privacy.
Force revoked user to reveal the ID (S/N or another attribute)Credential Update. Not efficient.
Short validity time encoded in an attributeIssuer periodically updates valid credentials for download
Credential Revocation Lists. Not efficient.List of proofs that the ID is not in blacklisted items
AccumulatorsUse an accumulator to aggregate the IDs
![Page 13: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/13.jpg)
Pros and Cons of using Accumulators
Advantages• Costs to generate and verify unrevoked credential
proofs do not depend on the blacklist’s size.• It works for both whitelisting (membership proofs)
and blacklisting (non-membership proofs).• Anonymous and unlinkable credentials.Disadvantages• Witness update is expensive.• More complex.
![Page 14: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/14.jpg)
Accumulator-Based Revocation SchemeU-Prove integration is based on non-membership proofDemo Scenario
• Both User A and User P are issued U-Prove tokens.
• User A is blacklisted, so A fails to update NM Witness
⇒ User A can not generate anonymous proofs.• User P succeeds to update its NM Witness. ⇒ User P can generate valid anonymous proofs.
![Page 15: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/15.jpg)
U-Prove Revocation Scenario
![Page 16: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/16.jpg)
Setup and IssuingUse a revocation attribute (rv) to the U-Prove token.Issuer• Public key: • Private key:
User• Token: • Private key: • Commitment
![Page 17: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/17.jpg)
Revocation and PresentationBlacklist Authority• Public key private key , and revocation table
User uses the table to update ’s accumulator witness from the revocation tablePresentation• Normal U-Prove Presentation• Prove that is not accumulated (Non-Membership proof)
Timestamp
Operation Blacklist Accumulator
1 Add 2 Delete 3 Add
![Page 18: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/18.jpg)
OutlineAccumulators Definitions and Security Anonymous Revocation New schemeU-Prove Overview Revocation methods Revocation with the new accumulatorImplementation and Performance
![Page 19: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/19.jpg)
Software Design
Revocation API
AnonProof U-Prove Idemix
Accumulator API
Proof List
AccuFS
AccuGS Others
Application
Revocation
Method
![Page 20: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/20.jpg)
Software Design• Abstraction: Single definition of Revocation
API (for all revoking methods), Single definition of Accumulator API (for all accumulators).
• No Redundancy: Single implementation of Revocation using Accumulators.
• Extendibility: Easy to add new Accumulators or Applications.
• Changeability: Easy to switch among Accumulators or Revocation methods.
![Page 21: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/21.jpg)
PerformanceCompared with the only previous universal accumulator scheme ATSM
![Page 22: Accumulators and U-Prove Revocation](https://reader037.fdocuments.us/reader037/viewer/2022102819/56815f79550346895dce812f/html5/thumbnails/22.jpg)
Thanks and Questions