Non-interactive Keyed-Verification Anonymous Credentials

Couteau, Geoffroy; Reichle, Michael

doi:10.1007/978-3-030-17253-4_3

Cited by 7 publications

(3 citation statements)

References 37 publications

(103 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Anonymous credentials and their constructions come in many flavours [4,24,41], and not all rely on prime order groups alone. Some use pairing groups and some use hidden order groups.…”

Section: Anonymous Credentialsmentioning

confidence: 99%

Sharp

Couteau

Goudarzi²,

Klooß³

et al. 2022

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

We provide optimized range proofs, called Sharp, in discrete logarithm and hidden order groups, based on square decomposition. In the former setting, we build on the paradigm of Couteau et al. (Eurocrypt '21) and optimize their range proof (from now on, CKLR) in several ways: (1) We introduce batching via vector commitments and an adapted Σ-protocol. (2) We introduce a new group switching strategy to reduce communication. (3) As repetitions are necessary to instantiate CKLR in standard groups, we provide a novel batch shortness test that allows for cheaper repetitions. The analysis of our test is nontrivial and forms a core technical contribution of our work. For example, for 𝜆 = 128 bit security and 𝐵 = 64 bit ranges for 𝑁 = 1 (resp. 𝑁 = 8) proof(s), we reduce the proof size by 34% (resp. 75%) in arbitrary groups, and by 66% (resp. 88%) in groups of order 256-bit, compared to CKLR.As Sharp and CKLR proofs satisfy a "relaxed" notion of security, we show how to enhance their security with one additional hidden order group element. In RSA groups, this reduces the size of state of the art range proofs (Couteau et al., Eurocrypt '17) by 77% (𝜆 = 128, 𝐵 = 64, 𝑁 = 1).Finally, we implement our most optimized range proof. Compared to the state of the art Bulletproofs (Bünz et al., S&P 2018), our benchmarks show a very significant runtime improvement. Eventually, we sketch some applications of our new range proofs.

show abstract

“…Anonymous credentials and their constructions come in many flavours [4,24,41], and not all rely on prime order groups alone. Some use pairing groups and some use hidden order groups.…”

Section: Anonymous Credentialsmentioning

confidence: 99%

Sharp

Couteau

Goudarzi²,

Klooß³

et al. 2022

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Barki et al [3] propose a new KVAC scheme which is currently the most efficient: Proving posession of a credential with u hidden attributes costs u + 12 exponentiations. Couteau and Reichle [25] construct a KVAC scheme with presentation cost 2u + 3 exponentiations in a 2048-bit group, which is less efficient, but works in the standard model. Some of the new constructions were already implemented on the PC platform with promising results [29,35].…”

Section: Related Workmentioning

confidence: 99%

“…RSA Unlink. MAC Security U-Prove [33] u + 1 0 -Idemix [22] 0 u + 3 sRSA [36] Ringers et al [35] n + u + 9 0 whLRSW [40] MAC DDH [23] 6u + 12 0 DDH [8] MAC GGM [23] 5u + 4 0 GGM [37] MAC BB [4] u + 12 0 q-sDH [9] NIKVAC [25] 2u + 3 0 GGM+IND-CPA This work u + 2 0 n-SCDHI [12] 5 Implementation Results…”

Section: Efficiencymentioning

confidence: 99%

Fast Keyed-Verification Anonymous Credentials on Standard Smart Cards

Camenisch¹,

Drijvers²,

Dzurenda

et al. 2019

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

Cryptographic anonymous credential schemes allow users to prove their personal attributes, such as age, nationality, or the validity of a ticket or a pre-paid pass, while preserving their privacy, as such proofs are unlinkable and attributes can be selectively disclosed. Recently, Chase et al. (CCS 2014) observe that in such systems, a typical setup is that the credential issuer also serves as the verifier. They introduce keyed-verification credentials that are tailored to this setting. In this paper, we present a novel keyed-verification credential system designed for lightweight devices (primarily smart cards). By using a novel algebraic MAC based on Boneh-Boyen signatures, we achieve the most efficient proving protocol compared to existing schemes. To demonstrate the practicality of our scheme in real applications, including large-scale services such as public transportation or e-government, we present an implementation on a standard, off-the-shelf, Multos smart card. While using significantly higher security parameters than most existing implementations, we achieve performance that is more than 44 % better than the current state-of-the-art implementation.

show abstract

Non-interactive Keyed-Verification Anonymous Credentials

Couteau

Reichle

2019

Public-Key Cryptography – PKC 2019

Self Cite

View full text Add to dashboard Cite

Anonymous credential (AC) schemes are protocols which allow for authentication of authorized users without compromising their privacy. Of particular interest are noninteractive anonymous credential (NIAC) schemes, where the authentication process only requires the user to send a single message that still conceals its identity. Unfortunately, all known NIAC schemes in the standard model require pairing based cryptography, which limits them to a restricted set of specific assumptions and requires expensive pairing computations. The notion of keyed-verification anonymous credential (KVAC) was introduced in (Chase et al., CCS'14) as an alternative to standard anonymous credential schemes allowing for more efficient instantiations; yet, making existing KVAC non-interactive either requires pairing-based cryptography, or the Fiat-Shamir heuristic. In this work, we construct the first non-interactive keyed-verification anonymous credential (NIKVAC) system in the standard model, without pairings. Our scheme is efficient, attribute-based, supports multi-show unlinkability, and anonymity revocation. We achieve this by building upon a combination of algebraic MAC with the recent designated-verifier non-interactive zero-knowledge (DVNIZK) proof of knowledge of (Couteau and Chaidos, Eurocrypt'18). Toward our goal of building NIKVAC, we revisit the security analysis of a MAC scheme introduced in (Chase et al., CCS'14), strengthening its guarantees, and we introduce the notion of oblivious non-interactive zero-knowledge proof system, where the prover can generate non-interactive proofs for statements that he cannot check by himself, having only a part of the corresponding witness, and where the proof can be checked efficiently given the missing part of the witness. We provide an efficient construction of an oblivious DVNIZK, building upon the specific properties of the DVNIZK proof system of (Couteau and Chaidos, Eurocrypt'18).

show abstract

Non-interactive Keyed-Verification Anonymous Credentials

Cited by 7 publications

References 37 publications

Sharp

Sharp

Fast Keyed-Verification Anonymous Credentials on Standard Smart Cards

Non-interactive Keyed-Verification Anonymous Credentials

Contact Info

Product

Resources

About