Formal Treatment of Privacy-Enhancing Credential Systems

Camenisch, Jan; Krenn, Stephan; Lehmann, Anja; Mikkelsen, Gert Læssøe; Neven, Gregory; Pedersen, Michael Østergaard

doi:10.1007/978-3-319-31301-6_1

Cited by 35 publications

(35 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…None of these schemes is (universally) composable. Camenisch et al [27] have recently proposed property-based definitions of anonymous credentials and of the necessary building blocks, given a construction and proved it secure. Their definitions turn out to be rather complex, indicating that for complex systems functionality-based definitions might be easier to handle.…”

Section: Introductionmentioning

confidence: 99%

Composable and Modular Anonymous Credentials: Definitions and Practical Constructions

Camenisch

Dubovitskaya

Haralambiev

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

It takes time for theoretical advances to get used in practical schemes. Anonymous credential schemes are no exception. For instance, existing schemes suited for real-world use lack formal, composable definitions, partly because they do not support straight-line extraction and rely on random oracles for their security arguments. To address this gap, we propose unlinkable redactable signatures (URS), a new building block for privacy-enhancing protocols, which we use to construct the first efficient UC-secure anonymous credential system that supports multiple issuers, selective disclosure of attributes, and pseudonyms. Our scheme is one of the first such systems for which both the size of a credential and its presentation proof are independent of the number of attributes issued in a credential. Moreover, our new credential scheme does not rely on random oracles. As an important intermediary step, we address the problem of building a functionality for a complex credential system that can cover many different features. Namely, we design a core building block for a single issuer that supports credential issuance and presentation with respect to pseudonyms and then show how to construct a full-fledged credential system with multiple issuers in a modular way. We expect this definitional approach to be of independent interest.

show abstract

Section: Introductionmentioning

confidence: 99%

Composable and Modular Anonymous Credentials: Definitions and Practical Constructions

Camenisch

Dubovitskaya

Haralambiev

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…As identified in the work of Camenisch et al [15], an important feature to handle the dynamic nature of the set of users of a credential system is the possibility of revoking the credentials of some parties. Although our model does not directly support such a functionality, we can leverage the expressiveness of functional credentials in order to achieve it.…”

Section: Discussionmentioning

confidence: 99%

Functional Credentials

Deuber

Maffei

Malavolta

et al. 2018

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Abstract:A functional credential allows a user to anonymously prove possession of a set of attributes that fulfills a certain policy. The policies are arbitrary polynomially computable predicates that are evaluated over arbitrary attributes. The key feature of this primitive is the delegation of verification to third parties, called designated verifiers. The delegation protects the privacy of the policy: A designated verifier can verify that a user satisfies a certain policy without learning anything about the policy itself. We illustrate the usefulness of this property in different applications, including outsourced databases with access control. We present a new framework to construct functional credentials that does not require (non-interactive) zero-knowledge proofs. This is important in settings where the statements are complex and thus the resulting zero-knowledge proofs are not efficient. Our construction is based on any predicate encryption scheme and the security relies on standard assumptions. A complexity analysis and an experimental evaluation confirm the practicality of our approach.

show abstract

“…In order to make our construction usable in the definitional framework of Camenisch et al [28], we assume common public parameters (i.e., a common reference string) and encrypt all witnesses of which knowledge is being proved under a public key included in the common reference string. The resulting ciphertexts thus serve as statistically binding commitments to the witnesses.…”

Section: Protocols For Signing a Committed Value And Provingmentioning

confidence: 99%

“…The first efficient constructions were given by Camenisch and Lysyanskaya under the Strong RSA assumption [29,31] or using bilinear groups [32]. Other solutions were subsequently given with additional useful properties such as noninteractivity [10], delegatability [9], a better efficiency in the private key setting [36], or support for efficient attributes [25] (see [28] and references therein). Anonymous credentials with attributes are often obtained by having the issuer obliviously sign a multi-block message (Msg 1 , .…”

Section: Introductionmentioning

confidence: 99%

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Libert

Ling

Mouhartem

et al. 2016

Lecture Notes in Computer Science

111

127

View full text Add to dashboard Cite

A recent line of works-initiated by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010)-gave lattice-based realizations of privacy-preserving protocols allowing users to authenticate while remaining hidden in a crowd. Despite five years of efforts, known constructions remain limited to static populations of users, which cannot be dynamically updated. For example, none of the existing lattice-based group signatures seems easily extendable to the more realistic setting of dynamic groups. This work provides new tools enabling the design of anonymous authentication systems whereby new users can register and obtain credentials at any time. Our first contribution is a signature scheme with efficient protocols, which allows users to obtain a signature on a committed value and subsequently prove knowledge of a signature on a committed message. This construction, which builds on the lattice-based signature of Böhl et al. (Eurocrypt'13), is well-suited to the design of anonymous credentials and dynamic group signatures. As a second technical contribution, we provide a simple, round-optimal joining mechanism for introducing new members in a group. This mechanism consists of zero-knowledge arguments allowing registered group members to prove knowledge of a secret short vector of which the corresponding public syndrome was certified by the group manager. This method provides similar advantages to those of structure-preserving signatures in the realm of bilinear groups. Namely, it allows group members to generate their public key on their own without having to prove knowledge of the underlying secret key. This results in a two-round join protocol supporting concurrent enrollments, which can be used in other settings such as group encryption.

show abstract

Formal Treatment of Privacy-Enhancing Credential Systems

Cited by 35 publications

References 20 publications

Composable and Modular Anonymous Credentials: Definitions and Practical Constructions

Composable and Modular Anonymous Credentials: Definitions and Practical Constructions

Functional Credentials

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Contact Info

Product

Resources

About