Accumulators
and
U-Prove
Revocation
Tolga Acar, Intel
Sherman S.M. Chow, The Chinese University of Hong Kong
Lan Nguyen, XCG – Microsoft Research
Outline
Accumulators
Definitions and Security
Anonymous Revocation
New scheme
U-Prove
Overview
Revocation methods
Revocation with the new accumulator
Implementation and Performance
Accumulator Primitives
•Accumulate: Aggregate a set of elements into a single value V.
•Non-Membership (NM) Proof: Prove that an element x is NOT
accumulated in V without revealing any info about x.
•Membership Proof: Prove that an element x is accumulated in V
without revealing any info about x.
•Efficient Update of V and Proofs’ Witnesses when the
accumulated set changes.
Accumulator Security
•
Member Completeness: x is accumulated ⇒ Member
proof accepts.
•
Member Soundness: x is not accumulated ⇒ Member
proof rejects.
•
NM Completeness: x is not accumulated ⇒ NM proof
accepts.
•
NM Soundness: x is accumulated ⇒ NM proof rejects.
•
Information hiding: The proofs should be Zero-Knowledge
or Witness Indistinguishable.
Revoking Anonymous Credentials
For Blacklisting Anonymous Credentials,
• Accumulate blacklisted elements in an accumulator
value.
• NM Proof proves that an element is not accumulated
⇒ The element is not blacklisted.
• NM Proof does not reveal the element
⇒ Privacy Protection.
For Whitelisting Anonymous Credentials, it is similar in the
opposite way.
Accumulator Scheme – Setup
Bilinear pairing e: 𝒢2 × 𝒢2 → 𝒢𝑇 where 𝒢1 = 〈𝑃1 〉, 𝒢2 = 〈𝑃2 〉 and
𝒢𝑇 are cyclic multiplicative groups, all of order prime q.
Setup
Private Key: 𝛿 ∈ 𝑍𝑞
Public Key: 𝑝𝑘𝑎 = 𝑞, 𝒢1 , 𝒢2 , 𝒢𝑇 , 𝑒, 𝑃1 , 𝑃2 , 𝑃𝑝𝑢𝑏 , 𝐺, 𝐻, 𝐾 where
𝑃𝑝𝑢𝑏 = 𝑃2𝛿 , 𝐾 = 𝐻 𝛿 ∈ 𝒢1
2
𝑘
Optionally, 𝑡 = (𝑃1 , 𝑃1𝛿 , 𝑃1𝛿 , … , 𝑃1𝛿 )
Accumulator Operations
•Items to accumulate is a set S = 𝑥1 , … , 𝑥𝑚 ∈ 𝑍𝑞 \{−𝛿}, 𝑚 ≤ 𝑘
•Accumulator value 𝑉 = 𝑃1
𝑚
𝑖=1
𝛿+𝑥𝑖
•Non-Membership Witness is (𝑊, 𝑑, 𝑄) with
𝑊=
( 𝑚
𝛿+𝑥𝑖 −𝑑) (𝛿+𝑥)
𝑃1 𝑖
𝑎
Compute 𝑃1 𝑚−1
𝛿 𝑚−1 +𝑎𝑚−2 𝛿 𝑚−2 +⋯+𝑎0 𝛿 0
from t
𝑑= 𝑚
𝑖 𝛿 + 𝑥𝑖 𝑚𝑜𝑑 𝛿 + 𝑥
𝑄 = 𝑉𝑊 −𝑥 𝑃1−𝑑
•A new witness for x is computed or updated when a new x‘ is
accumulated or an accumulated x’ is removed from the set S
•Similar for Membership Witness
Efficient Accumulator NM Proof
Computations are moved from 𝒢𝑇 and 𝒢2 to efficient 𝒢1
• Prove 𝑥 ∉ 𝑆 is PoK (𝑊, 𝑑, 𝑥): 𝑉 = 𝑊 𝛿+𝑥 𝑃1 𝑑 ∧ 𝑑 ≠ 0
• Instead of 𝑒(𝑊, 𝑃2𝑥 𝑃𝑝𝑢𝑏)𝑒(𝑃1, 𝑃2)𝑑 = 𝑒(𝑉, 𝑃2) ∧ 𝑑 ≠ 0
To reduce pairing
• Add 𝑄 = 𝑊 𝛿 to witness
• Hide 𝑄, 𝑊 by 𝑌 = 𝑄𝐾 𝑡 and 𝑋 = 𝑊𝐻𝑡 , so 𝑌 = 𝑋 𝛿
• PoK (𝑡, 𝑑, 𝑥):
𝑉𝑌 −1 = 𝑋 𝑥 𝐻 −𝑡𝑥 𝐾 −𝑡 𝑃1 𝑑 ∧ 𝑒 𝑋, 𝑃𝑝𝑢𝑏 = 𝑒(𝑌, 𝑃2) ∧ 𝑑 ≠ 0
Efficiency gains
• Prover needs no pairing
• Verifier needs 2 pairings to verify 𝑒 𝑋, 𝑃𝑝𝑢𝑏 = 𝑒(𝑌, 𝑃2)
Similar for the Mem Proof.
Outline
Accumulators
Definitions and Security
Anonymous Revocation
New scheme
U-Prove
Overview
Revocation methods
Revocation with the new accumulator
Implementation and Performance
U-Prove
Participants: Issuer, User (Prover), Service Provider (Verifier).
Issuing Protocol between Issuer and User
• User obtains Tokens from Issuer
• Token certifies attributes (Driver License, Age > 21,…)
Presentation Protocol between User and Service Provider
• Users proves certain attributes to Service Provider
• Service Provider learns nothing about other attributes
U-Prove Crypto
Issuing
• Each token is a blind
signature on a commitment of attributes ℎ =
𝑥𝑛 𝛼
𝑥1
𝑔0 . 𝑔1 … 𝑔𝑛
• Re-Committing ℎ to ℎ′ is like a sealed envelop
• Blind Signing 𝑆𝑖𝑔𝑛(ℎ′ ) is like carbon paper
• Extracting 𝑆𝑖𝑔𝑛(ℎ) from 𝑆𝑖𝑔𝑛(ℎ′ ) is like opening envelop
Presenting
• Showing disclose attributes
• PoK of committed attributes
• Verifying the blind signature
Different presentations of the same token are linkable
Revocation in U-Prove
Four Methods
ID Exposure. It breaks privacy.
Force revoked user to reveal the ID (S/N or another attribute)
Credential Update. Not efficient.
Short validity time encoded in an attribute
Issuer periodically updates valid credentials for download
Credential Revocation Lists. Not efficient.
List of proofs that the ID is not in blacklisted items
Accumulators
Use an accumulator to aggregate the IDs
Pros and Cons of using Accumulators
Advantages
• Costs to generate and verify unrevoked credential proofs
do not depend on the blacklist’s size.
• It works for both whitelisting (membership proofs) and
blacklisting (non-membership proofs).
• Anonymous and unlinkable credentials.
Disadvantages
• Witness update is expensive.
• More complex.
Accumulator-Based Revocation Scheme
U-Prove integration is based on non-membership proof
Demo Scenario
•
Both User A and User P are issued U-Prove tokens.
•
User A is blacklisted, so A fails to update NM Witness
⇒ User A can not generate anonymous proofs.
•
User P succeeds to update its NM Witness.
⇒ User P can generate valid anonymous proofs.
U-Prove Revocation Scenario
Setup and Issuing
Use a revocation attribute (rv) to the U-Prove token.
Issuer
•
•
Public key: desc(𝐺𝑞 ), 𝑔0 , 𝑔1 , … , 𝑔𝑟𝑣 , … , 𝑔𝑛
Private key: 𝑦0 ∈ 𝑍𝑞
User
•
•
Token: 𝑈𝐼𝐷𝑃 , ℎ, 𝑇𝐼, 𝑃𝐼, 𝜎𝑧′ , 𝜎𝑐′ , 𝜎𝑟′
Private key: 𝛼 −1 ∈ 𝑍𝑞∗
•
Commitment ℎ = 𝑔0 . 𝑔1 1 … 𝑔𝑟𝑣𝑟𝑣 … 𝑔𝑛 𝑛
𝑥
𝑥
𝑥
𝛼
Revocation and Presentation
Blacklist Authority
•
Public key 𝑝𝑘𝑎, private key 𝛿, and revocation table
Timestamp
Operation
1
Add 𝑥𝑟𝑣1 , 𝑥𝑟𝑣2 , 𝑥𝑟𝑣3
2
Delete 𝑥𝑟𝑣2
3
Add 𝑥𝑟𝑣4 , 𝑥𝑟𝑣5
Blacklist
Accumulator
𝑥𝑟𝑣1 , 𝑥𝑟𝑣2 , 𝑥𝑟𝑣3
𝑉1 , 𝑉2 , 𝑉3
𝑥𝑟𝑣1 , 𝑥𝑟𝑣3
𝑉4
𝑥𝑟𝑣1 , 𝑥𝑟𝑣3 , 𝑥𝑟𝑣4 , 𝑥𝑟𝑣5
𝑉5 , 𝑉6
User uses the table to update 𝑥𝑟𝑣 ’s accumulator witness (𝑊, 𝑑, 𝑄)
from the revocation table
Presentation
• Normal U-Prove Presentation
• Prove that 𝑥𝑟𝑣 is not accumulated (Non-Membership proof)
Outline
Accumulators
Definitions and Security
Anonymous Revocation
New scheme
U-Prove
Overview
Revocation methods
Revocation with the new accumulator
Implementation and Performance
Software Design
Application
AnonProof
U-Prove
Idemix
Revocation API
Revocation
Accumulator API
Proof List
Method
AccuFS
AccuGS
Others
Software Design
•
Abstraction: Single definition of Revocation API (for all
revoking methods), Single definition of Accumulator API
(for all accumulators).
•
No Redundancy: Single implementation of Revocation
using Accumulators.
•
Extendibility: Easy to add new Accumulators or
Applications.
•
Changeability: Easy to switch among Accumulators or
Revocation methods.
Performance
Compared with the only previous universal accumulator scheme ATSM
Thanks and Questions