Accumulators and U-Prove Revocation
نویسندگان
چکیده
This work introduces the most efficient universal accumulator known today. For the first time, we have an accumulator which does not depend on hidden order groups, does not require any exponentiations in the target group associated with the pairing function, and only requires two pairings to verify a proof-of-knowledge of a witness. We present implementations of our accumulator and another recent proposal utilizing Groth-Sahai proofs, with performance results. Our implementations are designed with cryptography agility in mind. We then build a library for revoking anonymous credentials using any accumulators, and integrated it with Microsoft U-Prove, which has a significant contribution to an European Union’s privacy standardization effort. Our work enables U-Prove revocation without compromising untraceability.
منابع مشابه
An Overlooked Cryptographic Requirement for NSTIC
NSTIC [1] calls for the deployment of privacy-friendly (PF) credentials (based on privacy-enhancing technologies) on the Web. Since this has never been suc cessfully accomplished before, it should be considered an emerging application of cryptography. Most PF credentials are designed for issuance-show and multi-show unlinkabil ity (with the notable exception of U-Prove, which does not provide...
متن کاملUniversal Accumulators with Efficient Nonmembership Proofs
Based on the notion of accumulators, we propose a new cryptographic scheme called universal accumulators. This scheme enables one to commit to a set of values using a short accumulator and to efficiently compute a membership witness of any value that has been accumulated. Unlike traditional accumulators, this scheme also enables one to efficiently compute a nonmembership witness of any value th...
متن کاملDynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials
We introduce the notion of a dynamic accumulator. An accumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a ...
متن کاملAccumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation
We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow sc...
متن کاملPractical backward unlinkable revocation in FIDO, German e-ID, Idemix and U-Prove
FIDO, German e-ID, Idemix and U-Prove constitute privacyenhanced public-key infrastructures allowing users to authenticate in an anonymous way. This however hampers timely revocation in a privacy friendly way. From a legal perspective, revocation typically should be effective within 24 hours after user reporting. It should also be backward unlinkable, i.e. user anonymity cannot be removed after...
متن کامل