Accumulators and - PowerPoint Presentation

Slide1

Accumulators andU-Prove Revocation

Tolga

Acar

, Intel

Sherman S.M. Chow

, The Chinese University of Hong Kong

Lan Nguyen

, XCG – Microsoft ResearchSlide2

Outline

Accumulators

Definitions

and Security

Anonymous Revocation

New scheme

U-Prove

Overview

Revocation methods

Revocation with the new accumulator

Implementation and PerformanceSlide3

Accumulator Primitives

Accumulate:

Aggregate a set of elements into a single value

V

.

Non-Membership (NM) Proof:

Prove that an element

x

is NOT accumulated in

V

without

revealing any info about

x

.

Membership

Proof:

Prove that an element

x

is

accumulated

in

V

without revealing

any info about

x

.

Efficient Update

of

V

and Proofs’ Witnesses when the accumulated set changes.Slide4

Accumulator Security

Member Completeness:

x

is accumulated ⇒ Member proof accepts.

Member Soundness:

x

is not accumulated ⇒ Member proof rejects.

NM Completeness:

x

is not accumulated ⇒ NM proof accepts.

NM Soundness:

x

is accumulated ⇒ NM proof

rejects

.

Information hiding:

The proofs should be Zero-Knowledge or Witness Indistinguishable.Slide5

Revoking Anonymous Credentials

For

Blacklisting

Anonymous Credentials,

Accumulate

blacklisted elements in an

accumulator value.

NM Proof proves

that an element is not

accumulated

⇒

The element is not blacklisted.

NM Proof does not reveal the element

⇒

Privacy Protection

.

For

Whitelisting Anonymous Credentials, it is similar in the opposite way.Slide6

Accumulator Scheme – Setup

Bilinear pairing e:

where

and

are cyclic multiplicative groups, all of order prime

q

.

Setup

Private Key:

Public Key:

where

Optionally,

 Slide7

Accumulator Operations

Items to accumulate is a set

Accumulator value

Non-Membership Witness is

with

Compute

from

t

A new witness for

x

is computed or updated when a new

x‘

is accumulated or an accumulated

x’

is removed from the set SSimilar for Membership Witness

 Slide8

Efficient Accumulator NM Proof

Computations are moved from

and

to efficient

Prove

is

PoK

:

Instead of

To reduce pairingAdd to witnessHide by and , so

PoK

:

Efficiency gains

Prover

needs no pairing

Verifier needs 2 pairings to verify Similar for the Mem Proof.

 Slide9

Outline

Accumulators

Definitions

and Security

Anonymous Revocation

New scheme

U-Prove

Overview

Revocation methods

Revocation with the new accumulator

Implementation and PerformanceSlide10

U-ProveParticipants: Issuer, User (

Prover

), Service Provider (Verifier).

Issuing Protocol between Issuer and User

User obtains Tokens from Issuer

Token certifies attributes (Driver License, Age > 21,…)

Presentation Protocol between User and Service Provider

Users proves certain attributes to Service Provider

Service Provider learns nothing about other attributesSlide11

U-Prove Crypto

Issuing

Each token is a blind signature on a commitment of attributes

Re-Committing

to

is like a sealed envelop

Blind Signing

is like carbon paper

Extracting

from

is like opening envelop

PresentingShowing disclose attributesPoK of committed attributesVerifying the blind signatureDifferent presentations of the same token are linkable Slide12

Revocation in U-Prove

Four Methods

ID Exposure. It breaks privacy.

Force revoked user to reveal the ID (S/N or another attribute)

Credential Update. Not efficient.

Short validity time encoded in an attribute

Issuer periodically updates valid credentials for download

Credential Revocation Lists. Not efficient.

List

of proofs that the ID is not

in blacklisted items

Accumulators Use an accumulator to aggregate the IDsSlide13

Pros and Cons of using Accumulators

Advantages

Costs to generate and verify unrevoked credential proofs do

not depend on the blacklist’s size.

It works for both whitelisting

(membership proofs) and blacklisting (non-membership proofs).

Anonymous and

unlinkable

credentials

.

Disadvantages

Witness update is expensive.More complex.Slide14

Accumulator-Based Revocation Scheme

U-Prove integration is based on non-membership proof

Demo Scenario

Both User A and User P are issued U-Prove tokens.

User A is blacklisted, so

A

fails to update

NM Witness

⇒

User A can not generate anonymous proofs.

User P succeeds to update its NM Witness. ⇒ User P can generate valid anonymous proofs.Slide15

U-Prove Revocation ScenarioSlide16

Setup and Issuing

Use a revocation attribute (

rv

) to the U-Prove token.

Issuer

Public key:

Private key:

User

Token:

Private key:

Commitment  Slide17

Revocation and Presentation

Blacklist Authority

Public key

private key

, and revocation

table

User uses the table to update

’s

accumulator witness

from the

revocation table

PresentationNormal U-Prove PresentationProve that is not accumulated (Non-Membership proof) TimestampOperationBlacklistAccumulator1Add 2Delete

3

Add

Timestamp

Operation

Blacklist

Accumulator123Slide18

Outline

Accumulators

Definitions

and Security

Anonymous Revocation

New scheme

U-Prove

Overview

Revocation methods

Revocation with the new accumulator

Implementation and PerformanceSlide19

Software Design

Revocation API

AnonProof

U-Prove

Idemix

Accumulator API

Proof List

AccuFS

AccuGS

Others

Application

RevocationMethodSlide20

Software Design

Abstraction

:

Single definition of Revocation API (for all revoking methods), Single definition of Accumulator API (for all accumulators).

No Redundancy

:

Single implementation of Revocation using Accumulators

.

Extendibility

: Easy to add new Accumulators or Applications.

Changeability

: Easy to switch among Accumulators or Revocation methods.Slide21

Performance

Compared with the only previous universal accumulator scheme ATSMSlide22

Thanks and Questions