Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials
18 Aug 2002-pp 61-76
TL;DR: This work provides a construction of a dynamic accumulator and an efficient zero-knowledge proof of knowledge of an accumulated value, and proves their security under the strong RSA assumption.
Abstract: We introduce the notion of a dynamic accumulator. An accumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dynamic accumulator and an efficient zero-knowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA assumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.
Citations
More filters
Journal Article•
TL;DR: In this paper, the authors proposed a group signature scheme based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption.
Abstract: We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi.
1,562 citations
19 May 2013
TL;DR: Zerocoin is proposed, a cryptographic extension to Bitcoin that augments the protocol to allow for fully anonymous currency transactions and uses standard cryptographic assumptions and does not introduce new trusted parties or otherwise change the security model of Bitcoin.
Abstract: Bitcoin is the first e-cash system to see widespread adoption. While Bitcoin offers the potential for new types of financial interaction, it has significant limitations regarding privacy. Specifically, because the Bitcoin transaction log is completely public, users' privacy is protected only through the use of pseudonyms. In this paper we propose Zerocoin, a cryptographic extension to Bitcoin that augments the protocol to allow for fully anonymous currency transactions. Our system uses standard cryptographic assumptions and does not introduce new trusted parties or otherwise change the security model of Bitcoin. We detail Zerocoin's cryptographic construction, its integration into Bitcoin, and examine its performance both in terms of computation and impact on the Bitcoin protocol.
924 citations
25 Oct 2004
TL;DR: A short group signature scheme that supports Verifier-Local Revocation (VLR) and security of the group signature is based on the Strong Diffie-Hellman assumption and the Decision Linear assumption in bilinear groups.
Abstract: Group signatures have recently become important for enabling privacy-preserving attestation in projects such as Microsoft's ngscb effort (formerly Palladium). Revocation is critical to the security of such systems. We construct a short group signature scheme that supports Verifier-Local Revocation (VLR). In this model, revocation messages are only sent to signature verifiers (as opposed to both signers and verifiers). Consequently there is no need to contact individual signers when some user is revoked. This model is appealing for systems providing attestation capabilities. Our signatures are as short as standard RSA signatures with comparable security. Security of our group signature (in the random oracle model) is based on the Strong Diffie-Hellman assumption and the Decision Linear assumption in bilinear groups. We give a precise model for VLR group signatures and discuss its implications.
622 citations
Cites background from "Dynamic Accumulators and Applicatio..."
...Revocation is critical to the security of such systems....
[...]
...To maintain user privacy it is desirable that the signatures not reveal the identity of the chip that issued them....
[...]
TL;DR: This article provides the first comprehensive review of tracing apps' key attributes, including system architecture, data management, privacy, security, proximity estimation, and attack vulnerability, and presents an overview of many proposed tracing app examples.
Abstract: The recent outbreak of COVID-19 has taken the world by surprise, forcing lockdowns and straining public health care systems COVID-19 is known to be a highly infectious virus, and infected individuals do not initially exhibit symptoms, while some remain asymptomatic Thus, a non-negligible fraction of the population can, at any given time, be a hidden source of transmissions In response, many governments have shown great interest in smartphone contact tracing apps that help automate the difficult task of tracing all recent contacts of newly identified infected individuals However, tracing apps have generated much discussion around their key attributes, including system architecture, data management, privacy, security, proximity estimation, and attack vulnerability In this article, we provide the first comprehensive review of these much-discussed tracing app attributes We also present an overview of many proposed tracing app examples, some of which have been deployed countrywide, and discuss the concerns users have reported regarding their usage We close by outlining potential research directions for next-generation app design, which would facilitate improved tracing and security performance, as well as wide adoption by the population at large
510 citations
Cites methods from "Dynamic Accumulators and Applicatio..."
...To hide the social graph construction by the server, apps from the centralised and hybrid categories have introduced additional measures (such as random, independent uploads of contact identifiers/EphIDs, maintaining separate upload and query identifiers, using zero knowledge proofs [37] to store anonymized social graph at the server [38] etc....
[...]
References
More filters
IBM1
TL;DR: In this article, the authors present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs, and show that, with respect to these definitions, security is preserved under a natural composition operation.
Abstract: We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation.
The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural ``subroutine substitution'' operation, formalized by Micali and Rogaway.
We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the information-theoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.
1,523 citations
23 Aug 1998
TL;DR: In this paper, a new public key cryptosystem is proposed and analyzed, which is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. But the scheme is quite practical, and is not provable to be used in practice.
Abstract: A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
1,373 citations
Journal Article•
TL;DR: In this article, a new public key cryptosystem is proposed and analyzed, which is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. But the scheme is quite practical, and is not provable to be used in practice.
Abstract: A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.
1,228 citations
06 May 2001
TL;DR: This paper proposes a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones.
Abstract: A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
1,141 citations
17 Aug 1997
TL;DR: These novel compounds are produced by allowing Ln2(CO3)3.mH2O and boric acid to react with each other at a molar ratio of 1:2 under a practically air-tight condition in a container, with the CO2 gas removed continuously as it is formed in the course of the reaction.
Abstract: A group signature scheme allows members of a group to sign messages on the group's behalf such that the resulting signature does not reveal their identity Only a designated group manager is able to identify the group member who issued a given signature Previously proposed realizations of group signature schemes have the undesirable property that the length of the public key is linear in the size of the group In this paper we propose the first group signature scheme whose public key and signatures have length independent of the number of group members and which can therefore also be used for large groups Furthermore, the scheme allows the group manager to add new members to the group without modifying the public key The realization is based on methods for proving the knowledge of signatures
881 citations
"Dynamic Accumulators and Applicatio..." refers background or methods in this paper
...We use notation introduced by Camenisch and Stadler [ 13 ] for the various zero-knowledge proofs of knowledge of discrete logarithms and proofs of the validity of statements about discrete logarithms....
[...]
...This drawback is overcome by schemes where the size of the group’s public key as well as the complexity of proving and verifying membership is independent of the number of members [ 13 ,21,12,1]....
[...]
...However, it is not hard to see how to add revocation for other schemes and systems that use some form of anonymous credentials (e.g., [5,11,12,10, 13 ,21,23])....
[...]