## An efficient system for non-transferable anonymous credentials with optional anonymity revocation (2001)

### Cached

### Download Links

Citations: | 226 - 7 self |

### BibTeX

@INPROCEEDINGS{Lysyanskaya01anefficient,

author = {Anna Lysyanskaya},

title = {An efficient system for non-transferable anonymous credentials with optional anonymity revocation},

booktitle = {},

year = {2001},

pages = {93--118},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allor-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

### Citations

1216 | A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...roof can be found in the full version of this paper [12]). Theorem 4. If G is semantically secure, G ′ is circular-secure. As a basis for our circular encryption scheme, we use the ElGamal encryption =-=[27]-=- in some G = 〈g〉. It is easy to see that the ElGamal cryptosystem is semantically secure under the decisional Diffie-Hellman assumption. Let P = g x be a public key. The resulting circular encryption ... |

1080 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ... that nOi is the product of two safe primes (see [13] for how this can be done efficiently) and that the elements aOi , bOi , dOi , gOi , hOi are indeed in QRnO i (see, for example, Goldwasser et al. =-=[31]-=-). Alternatively, this can be carried out in the random oracle model using the Fiat-Shamir heuristic [28]. The parameter ℓΛ should be chosen such that computing discrete logarithms in QRnO i with ℓΛ-b... |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...a proofprotocol can be described by just pointing out its aim while hiding all details. In the random oracle model, such protocols can be turned into signature schemes using the Fiat-Shamir heuristic =-=[28]-=-. We use the notation SPK{(α) : y = g α }(m) to denote a signature obtained in this way. It is important that we use protocols that are concurrent zero-knowledge. They are characterized by remaining z... |

525 |
Undeniable signatures
- Chaum, Antwerpen
- 1990
(Show Context)
Citation Context ...these schemes need to share the same discrete logarithm group. The concept of revocable anonymity is found in electronic payment systems (e.g., [9, 37]) and group signature and identity escrow (e.g., =-=[2, 14, 20, 33]-=- schemes. Prior to our work, the problem of constructing a practical system with multiple-use credentials eluded researchers for some time [8, 21, 25, 34]. We solve it by extending ideas found in the ... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...rieve the identity of the user. In the sequel we describe how the protocols for proving possession of a credential must be adapted such that local revocation is possible using Cramer-Shoup encryption =-=[22]-=-. We then discuss global revocation. We remark that it can be decided at the time when the possession of a credential is proved whether local and/or global revocation shall be possible for the transac... |

455 |
Blind signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ...the verifier and the organization then both know the credential and thus can link the transaction to thesuser’s pseudonym. Traditionally, this problem has been solved using so-called blind signatures =-=[17]-=-. Here, we provide a novel and alternative way to approach this problem, i.e., instead of blinding the signer we blind the verifier. In the sequel we describe the general idea, the changes to the prot... |

442 | Security without identification: Transaction systems to make big brother obsolete
- Chaum
- 1985
(Show Context)
Citation Context ...s problem, an application that allows the individual to control the dissemination of personal information is needed. An anonymous credential system (also called pseudonym system), introduced by Chaum =-=[18]-=-, is the best known idea for such a system. In this paper, we propose a new efficient anonymous credential system, considerably superior to previously proposed ones. The communication and computation ... |

411 | Security and composition of multiparty cryptographic protocols
- Canetti
- 2000
(Show Context)
Citation Context ...].sOur contribution. In Section 2 we present our definitions for a credential system with the basic properties. Although not conceptually new and inspired by the literature on multi-party computation =-=[15, 16]-=- and reactive systems [36], these definitions are of interest, as our treatment is more formal than the one usually encountered in the literature on credential and electronic cash systems. We omit for... |

285 | Efficient group signature schemes for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...these schemes need to share the same discrete logarithm group. The concept of revocable anonymity is found in electronic payment systems (e.g., [9, 37]) and group signature and identity escrow (e.g., =-=[2, 14, 20, 33]-=- schemes. Prior to our work, the problem of constructing a practical system with multiple-use credentials eluded researchers for some time [8, 21, 25, 34]. We solve it by extending ideas found in the ... |

254 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
(Show Context)
Citation Context ...these schemes need to share the same discrete logarithm group. The concept of revocable anonymity is found in electronic payment systems (e.g., [9, 37]) and group signature and identity escrow (e.g., =-=[2, 14, 20, 33]-=- schemes. Prior to our work, the problem of constructing a practical system with multiple-use credentials eluded researchers for some time [8, 21, 25, 34]. We solve it by extending ideas found in the ... |

246 | Optimistic fair exchange of digital signatures
- Asokan, Shoup, et al.
- 2000
(Show Context)
Citation Context ... v, z) := (P r2 r1, g r2 , H(r1) ⊕ m). Decryption works by computing H(u/v x )⊕z. We denote this encryption scheme by CElG. 6.2 Verifiable Encryption with a Committed Public Key Verifiable encryption =-=[1, 10]-=-, is a protocol between a prover and a verifier such that as a result of the protocol, on input public key E and value v, the verifier obtains an encryption e of some value s under E such that (s, v) ... |

233 | Untraceable Off-line Cash in Wallets with Observers
- Brands
- 1993
(Show Context)
Citation Context ... double-users is required. This could for instance be achieved using revocation as described in the previous section, or using similar techniques that are used in for anonymous off-line e-cash (e.g., =-=[7]-=-). We now describe how the latter can be done such that using a one-show credential twice would expose the user’s secret keys connected with the corresponding pseudonym. Together with (any kind of) no... |

233 |
Rethinking public key infrastructures and digital certificates
- Brands
- 2000
(Show Context)
Citation Context ...user, apart from the fact of the user’s ownership of some set of credentials, even if it cooperates with other organizations. In particular, two pseudonyms belonging to the same user cannot be linked =-=[8, 18, 19, 21, 25, 34]-=-. Finally, it is desirable that the system be efficient. Besides requiring that it be based on efficient protocols, we also require that each interaction involve as few entities as possible, and the r... |

161 | Signature Schemes Based on the Strong RSA Assumption
- Cramer, Shoup
(Show Context)
Citation Context ...ting a practical system with multiple-use credentials eluded researchers for some time [8, 21, 25, 34]. We solve it by extending ideas found in the constructions of strong-RSA-based signature schemes =-=[23, 30]-=- and group signature schemes [2].sOur contribution. In Section 2 we present our definitions for a credential system with the basic properties. Although not conceptually new and inspired by the literat... |

161 | signatures for untraceable payments - Blind |

160 | Efficient proofs that a committed number lies in an interval - Boudot - 2000 |

145 | Composition and integrity preservation of secure reactive systems.In
- Pfitzmann, Waidner
- 2000
(Show Context)
Citation Context ...n 2 we present our definitions for a credential system with the basic properties. Although not conceptually new and inspired by the literature on multi-party computation [15, 16] and reactive systems =-=[36]-=-, these definitions are of interest, as our treatment is more formal than the one usually encountered in the literature on credential and electronic cash systems. We omit formal definitions for a cred... |

139 | Fast batch verification for modular exponentiation and digital signatures
- Bellare, Garay, et al.
- 1998
(Show Context)
Citation Context ...bility: when using RSA moduli of length 1024 bits, establishing a pseudonym is somewhat less efficient: it takes about 200 exponentiations in Z ∗ n for both parties, but batch-verification techniques =-=[4]-=- could be applied to reduce this, and organizations have to store about 25K bits per user (here computation complexity could be traded against storage). All-or-nothing non-transferability is based on ... |

135 |
Statistical zero knowledge protocols to prove modular polynomial relations
- Fujisaki, Okamoto
- 1997
(Show Context)
Citation Context ...oup of quadratic residues modulo a composite n, i.e., G = QRn. This choice for the underlying group has some consequences. First, the protocols are proofs of knowledge under the strong RSA assumption =-=[29]-=-. Second, the largest possible value of the challenge c must be smaller that the smallest factor of G’s order. Third, soundness needs special attention in the case that the verifier is not equipped wi... |

130 | Proving in zero-knowledge that a number is the product of two safe primes - Camenisch, Michels - 1999 |

130 | Secure hash-and-sign signatures without the random oracle
- Gennaro, Halevi, et al.
- 1999
(Show Context)
Citation Context ...ting a practical system with multiple-use credentials eluded researchers for some time [8, 21, 25, 34]. We solve it by extending ideas found in the constructions of strong-RSA-based signature schemes =-=[23, 30]-=- and group signature schemes [2].sOur contribution. In Section 2 we present our definitions for a credential system with the basic properties. Although not conceptually new and inspired by the literat... |

123 | Pseudonym systems
- Lysyanskaya, Rivest, et al.
- 1999
(Show Context)
Citation Context ...ntroducing almost no overhead to realizing privacy in a credential system. ⋆ This research was carried out while the author was visiting IBM Zürich Research Laboratory.sAn anonymous credential system =-=[18, 19, 21, 25, 34]-=- consists of users and organizations. Organizations know the users only by pseudonyms. Different pseudonyms of the same user cannot be linked. Yet, an organization can issue a credential to a pseudony... |

114 | Efficient Concurrent Zero-Knowledge in the Auxiliary String Model
- Damg̊ard
(Show Context)
Citation Context ...hat are concurrent zero-knowledge. They are characterized by remaining zero-knowledge even if several instances of the same protocol are run arbitrarily interleaved. In the public key model, Damg˚ard =-=[24]-=- shows a general technique for making the so-called Σ-protocols (these include all the proofs of knowledge used here) composable under concurrent composition without incurring a penalty in communicati... |

99 | Keyprivacy in public-key encryption
- Bellare, Boldyreva, et al.
- 2001
(Show Context)
Citation Context ...pendently of and concurrently with our work, Black et al. [5] proposed symmetric encryption schemes for key-dependent messages (which is what we call circular symmetric encryption) and Bellare et al. =-=[3]-=- studied key-private encryption (which is what we call key-oblivious encryption).s6.1 Circular Encryption Definition 2. Let n, m ∈ poly(k). A semantically secure encryption scheme G = (E, D) is circul... |

94 | Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation - Camenisch, Lysyanskaya - 2001 |

85 |
The notion of security for probabilistic cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context ... problems: First, the approach requires that each user encrypts each of her secret keys Di under one of her public keys Ej, thereby creating “circular encryptions”. However, the canonical definitions =-=[35]-=- of secure encryption do not provide security for such encryptions. Moreover, it is not known whether circular security is possible under general assumptions. Nevertheless, we introduce in this sectio... |

82 | Studies in Secure Multiparty Computation and Applications
- Canetti
- 1995
(Show Context)
Citation Context ...].sOur contribution. In Section 2 we present our definitions for a credential system with the basic properties. Although not conceptually new and inspired by the literature on multi-party computation =-=[15, 16]-=- and reactive systems [36], these definitions are of interest, as our treatment is more formal than the one usually encountered in the literature on credential and electronic cash systems. We omit for... |

80 | Trustee-based tracing extensions to anonymous cash and the making of anonymous change
- Brickell, Gemmell, et al.
- 1995
(Show Context)
Citation Context ...that all the users and the certification authorities in these schemes need to share the same discrete logarithm group. The concept of revocable anonymity is found in electronic payment systems (e.g., =-=[9, 37]-=-) and group signature and identity escrow (e.g., [2, 14, 20, 33] schemes. Prior to our work, the problem of constructing a practical system with multiple-use credentials eluded researchers for some ti... |

77 | Separability and efficiency for generic group signature schemes - Camenisch, Michels - 1999 |

75 | Identity Escrow
- Kilian, Petrank
- 1998
(Show Context)
Citation Context |

65 | Fair blind signatures
- Stadler, Piveteau, et al.
- 1995
(Show Context)
Citation Context ...that all the users and the certification authorities in these schemes need to share the same discrete logarithm group. The concept of revocable anonymity is found in electronic payment systems (e.g., =-=[9, 37]-=-) and group signature and identity escrow (e.g., [2, 14, 20, 33] schemes. Prior to our work, the problem of constructing a practical system with multiple-use credentials eluded researchers for some ti... |

54 |
A secure and privacy-protecting protocol for transmitting personal information between organizations
- Chaum, Evertse
- 1987
(Show Context)
Citation Context ...ntroducing almost no overhead to realizing privacy in a credential system. ⋆ This research was carried out while the author was visiting IBM Zürich Research Laboratory.sAn anonymous credential system =-=[18, 19, 21, 25, 34]-=- consists of users and organizations. Organizations know the users only by pseudonyms. Different pseudonyms of the same user cannot be linked. Yet, an organization can issue a credential to a pseudony... |

48 | E±cient group signature schemes for large groups - Camenisch, Stadler - 1997 |

46 |
Payment Systems and Credential Mechanism with Provable Security Against Abuse by Individuals
- Damgard
- 1988
(Show Context)
Citation Context ...ntroducing almost no overhead to realizing privacy in a credential system. ⋆ This research was carried out while the author was visiting IBM Zürich Research Laboratory.sAn anonymous credential system =-=[18, 19, 21, 25, 34]-=- consists of users and organizations. Organizations know the users only by pseudonyms. Different pseudonyms of the same user cannot be linked. Yet, an organization can issue a credential to a pseudony... |

44 | Chaum and Eugène van Heyst. Group signatures - David - 1991 |

36 |
Acess with Pseudonyms
- Chen
- 1995
(Show Context)
Citation Context |

26 | Digital Signets: Self-Enforcing Protection of Digital Information
- Dwork, Lotspiech, et al.
- 1996
(Show Context)
Citation Context ...d non-transferability. That is, sharing a credential implies also sharing a particular, valuable secret key from outside the system (e.g., the secret key that gives access to the user’s bank account) =-=[26, 32, 34]-=-. However, such a valuable key does not always exist. Thus we introduce an alternative, novel way of achieving this: all-or-nothing non-transferability. Here, sharing just one pseudonym or credential ... |

26 | Untraceable o-line cash in wallet with observers (extended abstract - Brands |

25 | Jan-Hendrik Evertse, and Jeroen van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations - Chaum - 1988 |

20 | Chaum and Torben Pryds Pedersen. Wallet Databases with Observers (extended abstract - David - 1992 |

18 | Composition and integrity preservation of secure reactive systems - P¯tzmann, Waidner - 2000 |

17 | Electronic cash systems based on the representation problem in groups of prime order - Brands - 1993 |

17 | Self-delegation with controlled propagation | or | what if you lose your laptop - Goldreich, P¯tzman, et al. - 1998 |

17 | and Erez Petrank. Identity escrow - Kilian - 1998 |

14 | Security without Identi Transaction Systems to Make Bib Brother Obsolete - Chaum |

11 | Verifiable encryption and applications to group signatures and signature sharing
- Camenisch, Damgard
- 1998
(Show Context)
Citation Context ...ion of this and show that our circular encryption scheme satisfies it. Third, the encryption must be verifiable. To this end we review the verifiable encryption protocol due to Camenisch and Damg˚ard =-=[10]-=- and adapt it to suit our needs. Specifically, we want to enable verification without revealing the public key. We provide a verification method involving a committed public key, so that by inspecting... |

8 | Fast batch veri for modular exponentiation and digital signatures - Bellare, Garay, et al. - 1998 |

7 |
Encryption scheme security in the presence of key-dependent messages
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...itted public key, so that by inspecting this verifiable encryption, an adversary would not be able to discover the underlying public key. Independently of and concurrently with our work, Black et al. =-=[5]-=- proposed symmetric encryption schemes for key-dependent messages (which is what we call circular symmetric encryption) and Bellare et al. [3] studied key-private encryption (which is what we call key... |

7 | Moni Naor. Digital signets: Self-enforcing protection of digital information (preliminary version - Dwork, Lotspiech - 1996 |

4 |
Self-delegation with controlled propagation-or-what if you lose your laptop
- Goldreich, Pfitzmann, et al.
- 1998
(Show Context)
Citation Context ...d non-transferability. That is, sharing a credential implies also sharing a particular, valuable secret key from outside the system (e.g., the secret key that gives access to the user’s bank account) =-=[26, 32, 34]-=-. However, such a valuable key does not always exist. Thus we introduce an alternative, novel way of achieving this: all-or-nothing non-transferability. Here, sharing just one pseudonym or credential ... |