Efficient Revocation of Anonymous Group Membership Certificates and Anonymous Credentials

An accumulator scheme, introduced be Benaloh and de Mare [BdM94] and further studied by Barić and Pfitzmann [BP97], is an algorithm that allows to hash a large set of inputs into one short value, called the accumulator, such that there is a short witness that a given input was incorporated into the accumulator. We put forward the notion of dynamic accumulators, i.e., a method that allows to dynamically add and delete inputs from the accumulator, such that the cost of an add or delete is independent on the number of accumulated values. We achieve this under the strong RSA assumption. For this construction, we also show an efficient zero-knowledge protocol for proving that a committed value is in the accumulator. In turn, our construction of dynamic accumulator enables efficient membership revocation in the anonymous setting. This method applies to membership revocation in group signature schemes, such as the one due to Ateniese et al. [ACJT00], and efficient revocation of credentials in anonymous credential systems, such as the one due to Camenisch and Lysyanskaya [CL01]. Using our method, allowing revocation does not alter the complexity of any operations of the underlying schemes. In particular, the cost of a group signature verification or credential showing increases by only a small constant factor, less than 2. All previously known methods (such as the ones due to Bresson and Stern [BS01] and Ateniese and Tsudik [AT01]) incurred an increase in these costs that was linear in the number of members.