Decentralized multi-authority anonymous credential system with bundled languages on identifiers in bilinear groups
Abstract
We propose a multi-show decentralized multi-authority attribute-based anonymous credential system (dACS). Referring to previous work, we give a new syntax and three security notions: unforgeability, anonymity and unlinkability. Especially, corruption of authorities is considered to reflect a real scenario. Then we give a generic construction of dACS. In our dACS, an attribute authority who issues a private secret key to an entity only has to sign the entity’s identifier. Then, according to the principle of "commit-to-identifier", the entity generates a proof of knowing credentials. There are two building blocks: the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system, both of which are in asymmetric bilinear groups. The principle is realized with a bundled language that is simultaneous pairing-product equations on the identifier. There, the bundled language works for preventing collusion attacks. Finally, we instantiate our generic dACS under the Symmetric External Diffie-Hellman (SXDH) assumption, compare the instantiated scheme with previous work, and evaluate the performance.
Keywords
INTRODUCTION
A global identifier is a string of a digital identity that is linked to an entity in our cyberspace. An e-mail address issued by a reliable organization and a universally unique identifier (UUID) stipulated by ISO/IEC 11578:1996[1] can be a global identifier. Global identifiers are registered by authorities and used by entities to execute some rights in the space. An anonymous credential system (ACS) that was first proposed by Chaum is a system in which an entity with an identifier is given a credential of a right issued by an authority[2]. Then the entity can prove possession of the credential to a verifier, which is typically a service provider, without leaking its identity information. Thus, a primary aim of ACS is privacy protection in transactions in which a right of an entity is checked.
Towards real applications, ACS has been studied for efficiency in the mathematical structures of Rivest-Shamir-Adleman (RSA), discrete logarithm, bilinear groups, lattices, etc.[3-6]. As for functions of ACS, whether anonymous credentials are single-show or multi-show[3] is critical. A single-show ACS was introduced firstly by Brands[7], in which a credential can be proven only once; if it is proven more than once, then those proofs are possibly linked to avoid double spending. On the other hand, a multi-show ACS was introduced firstly by Camenisch-and-Lysyanskaya[3], in which a credential can be proven more than once keeping unlinkability. Another function of importance is to treat attribute credentials. Tan-and-Groß[8] introduced an attribute-based ACS (abACS), in which an entity can prove possession of a number of credentials simultaneously. For instance, it can prove possession of its attributes such as age = 30 AND gender} = female AND nationality USA. Further, Chan and Yuen developed an attributed-based ACS which supports both single-show and multi-show selectively[9]. In the design of such abACS, a primary target is efficiency from the viewpoints of computational amount and data length of a proof that an entity is in possession of claimed attribute credentials. Since a naive construction with linear complexity is easy because a simultaneous showing of their proofs suffices the need, asymptotic behavior smaller than linear complexity was pursued[8,9]. In contrast, a decentralized multi-authority ACS (dACS) that was introduced by Garman et al. is a different direction of study[10]. In a dACS, there are a number of authorities of issuing attribute credentials, and there is no central authority among them. Each authority is responsible for each attribute, and once a global identifier is linked to an entity, the authority is able to issue its attribute credential to the identifier.
A challenging task in the design of dACS is to attain collusion resistance. That is, in the case of dACS, the verifier should resist collusion attacks by adversaries who bring together their attribute credentials issued to different global identifiers. Note that the collusion resistance has been studied in attribute-based cryptographic primitives such as attribute-based encryption[11] and signatures[12], but in the case of dACS, it has not been studied yet. Another challenging task is to design dACS so that it is capable of treating any given formula for fine-grained access control, such as a monotone formula over attributes. Actually, the notion of "attributed-based" was initially introduced in the case of encryption and decryption by Sahai and Waters[13], and was developed by the subsequent work by, for example, Goyal et al.[14], Chase-and-Chow[15], etc. The anonymity, collusion resistance and fine-grained access control are three properties that need appropriate (and subtle) design techniques.
Our contribution
In this paper, we propose a multi-show dACS, which is able to treat any given all-AND formula. We first give syntax of our dACS. Then we give three security notions. One is existential unforgeability (EUF) against collusion attacks. There, we introduce corruption of authorities reflecting a real scenario that an adversary can corrupt some of the authorities and get their master secret keys. The second and third are anonymity and unlinkability of proofs. In our definitions, anonymity means that any probabilistic polynomial-time (PPT) adversary including the issuer can get only a negligible amount of information on identifiers from given proofs. On the other hand, unlinkability means that any PPT adversary cannot distinguish two cases; the first case is that two given proofs are generated by a single entity and the second case is that the two proofs are generated by two entities with different identifiers. Thus, the unlinkability of proofs is a stronger notion than the anonymity in our definitions, and we will prove the implication.
We then give a generic construction of dACS. In our dACS, a feature is that an attribute authority who issues a private secret key to an entity only has to sign the entity's identifier. At that time, the authority uses a set of common public parameters in a standard like NIST FIPS 186-4[16]. Then, according to the principle of "commit-to-identifier", the entity generates a proof of knowing credentials. There are two building blocks in the construction. One is the structure-preserving signature scheme[17] and the other is the Groth-Sahai non-interactive proof system[18,19], where both blocks are based on Type 3 asymmetric bilinear groups[20]. In the construction, the principle is realized with a bundled language that is simultaneous pairing-product equations on the entity's identifier and a structure-preserving signature on the identifier. Thus, the bundled language works for preventing collusion attacks. The bundled language is a special case of simultaneous equation systems. It would be natural to consider a generalization into the case of more than one common variable. The study of this direction is of independent interest.
In the succeeding section, we instantiate our generic dACS under the Symmetric External Diffie-Hellman (SXDH) assumption[17-19] on the Type 3 pairings. Then we compare features of our instantiated
Related recent work
From the viewpoint of issuing authorities, the work by Garman et al. is the first ACS with decentralized multi-authority in the attribute-based setting (dACS, for short), which is capable of treating all-AND formulas[10]. Our dACS, in addition, is proven secure even when some of the authorities are corrupted (i.e., the master secret keys of them are leaked to adversaries).
Collusion attacks are also considered in the work by Garman et al., but the security claim is in the random oracle model[10]. As for collusion resistance in the standard model, Camenisch et al. proposed a dACS that has the property[21]. Moreover, the ACS[21] has the security of the universal composability[22,23]. Our
As for fine-grained access control, the abACS by Sadiah et al. is capable of treating monotone formulas, though the proof size is exponential to the number of attributes appearing in the formula[24]. The abACS by Okishima-and-Nakanishi[25] is capable of treating Conjunctive Normal Form (CNF) formulas. The abACS by Fuchsbauer et al. is capable of treating all-and formulas with an advantage of prover anonymity at issuing phase[26]. We note that these three abACSs have not been studied in a security experiment of collusion resistance. Though the two abACSs by Tan and Groß[8] and Chan and Yuen[9] mentioned above are capable of treating monotone formulas and have collusion resistance, they are not in the setting of decentralized multi-authority. Concerning the attributes issued under each authority, our dACS can treat any access policy of an all-AND formula that covers plural attributes for each authority (and the number of authorities is more than one). From the viewpoint, designing a decentralized multi-authority abACS with more fine-grained access policies, for instance, any monotone formulas, is a challenging problem.
Replay attack is one of the most typical threats to authentication systems. In a replay attack, an attacker intercepts valid data that are transmitted from a prover to a verifier. Then it maliciously re-sends them, after some time intervals, to make the verifier accept the prover. Thus, the aim of a replay attack is to cause mis-authentication that leads to potential stronger security breaches. It is also possibly applicable to ACSs, especially because of anonymity. One of the typical countermeasures against replay attack is introducing interactive proofs. That is, the verifier generates a random challenge message at every session of authentication to reject a re-sent response message. As for non-interactive proofs, in recent privacy-preserving systems[27,28] in which proofs are non-interactive, permissioned blockchains are employed, which is in contrast with the permissionless blockchain employed in Bitcoin[29]. A permissioned blockchain fits our dACS because transactions including anonymous credentials are permitted by the authorities. In the systems, the replay attack can be detected by the authorities.
Finally, we note here recent studies that developed more functions than our dACS. Au et al. proposed a dynamic
Our work in this paper is a significantly extended version of the proceeding paper presented at SecITC 2020[34]. Especially the sections of "Introduction", "Instantiation" and "Feature Comparison and Efficiency Evaluation" are totally expanded.
Organization of the paper
In Section "PRELIMINARIES", we fix notations and summarize the needed notions for later sections. In Section "BUNDLED LANGUAGE", we explain our ideas, which is for the Groth-Sahai proofs. In Section "DECENTRALIZED MULTI-AUTHORITY ANONYMOUS CREDENTIAL SYSTEM", we propose the syntax and security definitions of our dACS. In Section "GENERIC CONSTRUCTION", we give a construction of our dACS employing the Groth-Sahai proof system and a structure-preserving signature scheme. In Section "INSTANTIATION", we concretely describe our dACS under the SXDH assumption. In Section "FEATURE COMPARISON AND EFFICIENCY EVALUATION", we compare the features of our instantiated
PRELIMINARIES
Bilinear groups
Let
Then, for further simplicity, we introduce the following notation.
Then it is easy to see that the following equality holds.
Finally, we extend the notation [Equation (3)] to a vector and a matrix form in the following way.
and
Structure-preserving signature scheme
The structure-preserving signature scheme[17,35]
The correctness should hold for the scheme
Adaptive chosen-message attack of an existential forgery on the scheme
In the above experiment,
Definition 1 (EUF-CMA[36]) The scheme
Non-interactive commit-and-prove scheme for structure-preserving signatures
According to the "fine-tuning Groth-Sahai proofs" system[19], we survey here the non-interactive commit-and-prove scheme on pairing-product equations, though we treat them in their additive forms. A commit-and-prove scheme
Language
We first describe the language for which our scheme will work. The language is dependent on the type of verification equations of the Groth-Sahai proofs (group-dependent languages[18]). For this purpose, we first fix the set of public parameters.
Let
Let
For a fixed parameter set
Commit-part
The commit-part[18,19]
We put
The commit-part
Prove-part
The prove-part[18,19]
The proof-part
Four properties of commit-part
Definition 2 (Correctness[18,19]) A commitment scheme
Definition 3 (Dual Mode[18]) A commitment scheme
From Equation (13), the computational indistinguishability [(Equation (14)] is equivalent to the following: For any security parameter
The indistinguishability [Equation (15)] holds, for example, for an instance of the Groth-Sahai proof system under the SXDH assumption[18,19].
Definition 4 (Perfectly Binding[18]) A commitment scheme
Definition 5 (Perfectly Hiding[18]) A commitment scheme
Four properties of prove-part
Definition 6 (Perfect Correctness[18]) A commit-and-prove scheme
Definition 7 (Perfect Soundness[18]) A commit-and-prove scheme
Let
Definition 8 (Perfect Knowledge Extraction[18]) A commit-and-prove scheme
Definition 9 (Composable Witness-Indistinguishability[18]) A commit-and-prove scheme
Especially, perfect witness-indistinguishability holds from Equation (17).
BUNDLED LANGUAGE
In this section, we define a notion of a bundled language in the case of a group-dependent language that is pairing-product equations. Intuitively, the notion is a simultaneous equation system whose coefficients form a language.
For a polynomially bounded integer
Now we impose a constraint that the above
Definition 10 (Bundled language) Let
DECENTRALIZED MULTI-AUTHORITY ANONYMOUS CREDENTIAL SYSTEM
In this section, we provide syntax and security definitions of dACS. We introduce three security definitions. The first is EUF against collusion attacks that cause mis-authentication, the other two are anonymity and unlinkability of proofs.
Syntax
Our dACS consists of five PPT algorithms,
Security definitions
We define three security notions for our ACS dACS; EUF against collusion attacks, anonymity and unlinkability of proofs. Hereafter, the notation "(algorithm name)+O" means the oracle that functions as the algorithm.
EUF against collusion attack
Formally, we define the following experiment on dACS and an adversary algorithm
Intuitively, the above experiment describes the attack as follows. On input the public keys
A restriction is imposed on the adversary
These restrictions are because, otherwise, the adversary
The advantage of an adversary
Definition 11A scheme dACS is said to be existentially unforgeable against collusion attacks if, for any PPT algorithm
Anonymity of proofs
Formally, we define the following experiment on dACS and an adversary algorithm
Intuitively, the above experiment describes the attack as follows. On input the set of public parameters
The advantage of an adversary
Definition 12An ACS dACS is said to have anonymity of proofs if, for any PPT algorithm
Unlinkability of proofs
Formally we define the following experiment on dACS and an adversary algorithm
Intuitively, the above experiment resembles the experiment of anonymity
The advantage of an adversary
Definition 13An ACS dACS is said to have unlinkability of proofs if, for any PPT algorithm
Proposition 1 (Unlinkability Implies Anonymity). For any PPT algorithm
Proof. Suppose that any PPT algorithm
GENERIC CONSTRUCTION
In this section, we provide a generic construction of the scheme dACS. Here we employ two building blocks. One is the structure-preserving signature scheme[17,35]. The other is the commit-and-prove scheme of the "fine-tuning Groth-Sahai proofs" system[18,19] on pairing-product equations of our "bundled language".
Construction
According to our syntax, the scheme dACS consists of five PPT algorithms:
Second, for each
Then, for each authority index
It sets
If all the decisions
Security proofs
Theorem 1 (EUF against Collusion Attacks). For any PPT algorithm
Theorem 1 means that, if the structure-preserving signature scheme
Proof. Given any PPT algorithm
Simulation of private secret key oracle. When
At the end
Generating Existential Forgery. Next,
Probability evaluation. The probability that the returned value
We have the following equalities.
The left-hand side of the equality [Equation (24)] is expanded as follows.
Claim 1
Proof.
Claim 2If
Proof. This is because of the restriction [Equations (21) and (22)].
Claim 3
Proof. This is because of the perfect knowledge extraction of
Combining Equations (23)-(28) we have:
as is claimed in Theorem 1.
Theorem 2 (Unlinkability of Proofs). For any PPT algorithm
[For the definition of
Theorem 2 means that, if the dual-mode commitment keys are indistinguishable, then our dACS has unlinkability.
Proof. Suppose that any PPT algorithm
Employing
Therefore,
as is claimed in Theorem 2.
INSTANTIATION
In this section, we instantiate our dACS in bilinear groups of Type 3 pairing[20]. The security properties are guaranteed under the SXDH assumption[35,38]. In accordance with the generic construction in the previous section, we employ two building blocks. One is the structure-preserving signature scheme by Abe et al.[17], and the other is the commit-and-prove scheme of the "fine-tuning Groth-Sahai proofs" system by Escala-and-Groth[19] on the pairing-product equations of our bundled language, which is a simultaneous verification equation system of the structure-preserving signatures on an identity element
Construction
According to our syntax, our instantiated scheme
and it sets
It returns
Then it generates exponent values as
Then it generates the secret keys of the ElGamal encryption as
Then it generates commitments as
where
Then it generates a basis of messages as
Finally, it sets
It sets
Then it encrypts
Then it generates commitments as
where
Then it generates commitments as
Then it generates Groth-Sahai proofs as
where
Then it sets
It sets
We note that each of the Equations (50)-(56) can be transformed into the following canonical form.
Then the
Also, set scalar vectors as
Then, generate commitments as follows.
We stress that, in the computation of the commitment
Then, from Equations (58), (61) and (62), generate
Finally, obtain a Groth-Sahai proof
To summarize, the
Theorem 3 (EUF against Collusion Attacks) For any PPT algorithm
Theorem 4 (Unlinkability of Proofs) For any PPT algorithm
FEATURE COMPARISON AND EFFICIENCY EVALUATION
In this section, we compare the features of our instantiated
In Table 1, "Multi-Authority" means whether the issuing function is decentralized multi-authority or not. "Collusion Resistance" means whether the system has collusion resistance or not. "Formula of Proof" means the type of boolean formulas associated with the proofs. "R.O.", "Std." and "Gen.Grp." mean that the security proof is in the random oracle model, the standard model and the generic group model, respectively. "all-AND", "CNF", and "monotone" mean all-AND, CNF and monotone formulas, respectively. "Unlinkability" means whether unlinkability of proofs is assured or not. "Unforgeability" means the assumptions under which unforgeability is assured. "Size of a Proof" means asymptotic behavior of data length of a proof of credentials.
Feature comparison of our
ACS/Feature | Multi-authority | formulas for proofs | Security model | Unlinkability | Unforgeability | Collusion resistance | Size of a proof |
GGM14[10] | All-AND | R.O. | SRSA & DL | ||||
CDHK15[21] | All-AND | Std. | SXDH, | ||||
SNBF17[24] | - | Monotone | Std. | - | |||
ON19[25] | - | CNF | Std. | DLIN, | - | ||
FHS19[26] | - | All-AND | Gen.Grp. | - | |||
TG20[8] | - | Monotone | Std. | (co-)SDH | |||
CY22[9] | - | Monotone | Std. | (co-)SDH | |||
Our | All-AND | Std. | SXDH |
Along with Table 1, feature comparison is explained at "Related Recent Work" in Introduction. We add a few remarks about the three decentralized multi-authority abACS (dACSs) in Table 1. The dACS by Garman et al. has good features, and especially it shows asymptotic behavior of a constant size of a proof[10]. However, its security model is in the random oracle model. The security model of the dACS by Camenisch et al. and our
Then, we show a concrete evaluation about computational amount of our
Number of elements in
1 | 2 | 3 | 4 | 1 | ||
(4, 4) | (4, 3) | (4, 3) | (4, 4) | (4, 4) | ||
#elem. | (8, 8) | (8, 6) | (8, 6) | (8, 8) | (8, 8) |
Number of elements in
1 | 15 | ||
#elem. | (2, 2, 2, 2) | (2, 2, 2, 2) |
Total number of elements in
1 | 2 | 3 | 4 | Further total over all | |||
#elem. | (12, 12) | (12, 10) | (12, 10) | (12, 12) | (12, 12) | (180, 176) |
Further, we estimate the execution time of the
Time of scalar-multiplication and pairing
Curve | Computation | Average (ms)(*2) |
ECBN254a | ||
1.60 | ||
2.74 |
Estimated time of Prvr and Vrfr:
Curve | Algorithm | Estimation (s) |
ECBN254a | Prover | 2.8 |
Verifier | 2.4 |
CONCLUSION
We propose a multi-show decentralized multi-authority abACS, dACS. One of the features in the security definitions is that corruption of authorities is introduced. As for the construction of our dACS, an attribute authority who issues a private secret key to an entity only has to sign the entity's identifier. Then the entity generates a proof of knowing credentials according to the "commit-to-identifier" principle. The generic construction actually employs the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system in asymmetric bilinear groups. There the principle turns into a bundled language, which is simultaneous equations on the identifier, for verification of the structure-preserving signatures. Actually the bundled language works for preventing collusion attacks.
A negative aspect of our dACS is that the proof size is linear in the number of attribute credentials involved in a proof. Therefore, a construction with smaller asymptotic behavior, hopefully of constant size, should be our future work.
DECLARATIONS
Acknowledgments
The author would like to express his sincere thanks to the three anonymous reviewers as well as the associated editor for their helpful comments from their technical and editorial viewpoints. Part of this work was presented at Innovative Security Solutions for Information Technology and Communications - 13th International Conference, SecITC 2020 (Bucharest, Romania, November 19-20, 2020, pp.71-90)[34], and the sole author agrees to submit and publish it in this new article.
Authors' contributions
The author contributed solely to the article.
Availability of data and materials
Not applicable.
Financial support and sponsorship
This work was supported by JSPS KAKENHI Grant Number JP23K11106.
Conflicts of interest
The author declared that there are no conflicts of interest.
Ethical approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Copyright
© The Author (s) 2024.
REFERENCES
1. ISO/IEC 11578: 1996(en). Available from: https://www.iso.org/obp/ui/#iso:std:iso-iec:11578:ed-1:v1:en. [Last accessed on 6 Sep 2024].
2. Chaum D. Security without identification: transaction systems to make big brother obsolete. Commun ACM 1985;28:1030-44.
3. Camenisch J, Lysyanskaya A. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann B, editor. Advances in Cryptology - EUROCRYPT 2001. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2001. pp. 93-118.
4. Camenisch J, Lysyanskaya A. Signature schemes and anonymous credentials from bilinear maps. In: Advances in Cryptology - CRYPTO 2004. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2004. pp. 56-72.
5. Camenisch J, GroßT. Efficient attributes for anonymous credentials. In: CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM; 2008. pp. 345-56.
6. Sudarsono A, Nakanishi T, Funabiki N. Efficient proofs of attributes in pairing-based anonymous credential system. In: Fischer-Hübner S, Hopper N, editors. Privacy enhancing technologies. PETS 2011. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2011. pp. 246-63.
7. Brands SA. Rethinking public key infrastructures and digital certificates: building in privacy. 1st ed. Cambridge-London: MIT Press; 2000. Available from: http://www.credentica.com/the_mit_pressbook.html. [Last accessed on 6 Sep 2024].
8. Tan S, Groß T. MoniPoly - an expressive q-SDH-based anonymous attribute-based credential system. In: Moriai S, Wang H, editors. Advances in Cryptology - ASIACRYPT 2020. Lecture notes in computer science. Cham: Springer; 2020. pp. 498-526.
9. Chan KY, Yuen TH. Attribute-based anonymous credential: optimization for single-use and multi-use. In: Beresford AR, Patra A, Bellini E, editors. Cryptology and network security. CANS 2022. Lecture notes in computer science. Cham: Springer; 2022. pp. 89-121.
10. Garman C, Green M, Miers I. Decentralized anonymous credentials. Available from: https://www.ndss-symposium.org/ndss2014/decentralized-anonymous-credentials. [Last accessed on 6 Sep 2024].
11. Lewko A, Waters B. Decentralizing attribute-Based encryption. In: Paterson KG, editor. Advances in Cryptology - EUROCRYPT 2011. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2011. pp. 568-88.
12. Okamoto T, Takashima K. Decentralized attribute-based signatures. In: Kurosawa K, Hanaoka G, editors. Public-Key Cryptography - PKC 2013. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2013. pp. 125-42.
13. Sahai A, Waters B. Fuzzy identity-based encryption. In: Cramer R, editor. Advances in Cryptology - EUROCRYPT 2005. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2005. pp. 457-73.
14. Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: CCS'06: Proceedings of the 13th ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery; 2006. pp. 89-98.
15. Chase M, Chow SSM. Improving privacy and security in multi-authority attribute-based encryption. In: CCS'09: Proceedings of the 2009 ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery; 2009. pp. 121-30.
16. NIST. Digital signature standard (DSS). 2013. Available from: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf. [Last accessed on 6 Sep 2024].
17. Abe M, Hofheinz D, Nishimaki R, Ohkubo M, Pan J. Compact structure - preserving signatures with almost tight security. In: Katz J, Shacham H, editors. Advances in Cryptology - CRYPTO 2017. Lecture notes in computer science. Cham: Springer; 2017. pp. 548-80.
18. Groth J, Sahai A. Efficient non-interactive proof systems for bilinear groups. In: EUROCRYPT'08: Proceedings of the Theory and Applications of Cryptographic Techniques 27th Annual International Conference on Advances in Cryptology. Berlin, Heidelberg: Springer-Verlag; 2008. pp. 415-32. Available from: http://dl.acm.org/citation.cfm?id=1788414.1788438. [Last accessed on 6 Sep 2024].
19. Escala A, Groth J. Fine-tuning groth-Sahai Proofs. In: Krawczyk H, editor. Public-Key Cryptography - PKC 2014. Lecture notes in computer science. Berlin: Springer; 2014. pp. 630-49.
20. Galbraith SD, Paterson KG, Smart NP. Pairings for cryptographers. Discret Appl Math 2008;156:3113-21.
21. Camenisch J, Dubovitskaya M, Haralambiev K, Kohlweiss M. Composable and modular anonymous credentials: definitions and practical constructions. In: Iwata T, Cheon J, editors. Advances in Cryptology - ASIACRYPT 2015. Lecture notes in computer science. Berlin: Springer; 2015. pp. 262-88.
22. Canetti R. Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science; 2001 Oct 8-11; Newport Beach, CA, USA. IEEE; 2001. pp. 136-45.
24. Sadiah S, Nakanishi T, Begum N, Funabiki N. Accumulator for monotone formulas and its application to anonymous credential system. J Inf Process 2017;25:949-61.
25. Okishima R, Nakanishi T. An anonymous credential system with constant-size attribute proofs for CNF formulas with negations. In: Attrapadung N, Yagi T, editors. Advances in information and computer security. IWSEC 2019. Lecture notes in computer science. Cham: Springer; 2019. pp. 89-106.
26. Fuchsbauer G, Hanser C, Slamanig D. Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. J Cryptology 2019;32:498-546.
27. Resisting replay attacks efficiently in a permissioned and privacy-preserving blockchain network. US 20170149819 A1, United States Patent and Trademark Office. Available from: https://patents.google.com/patent/US20170149819A1/en. [Last accessed on 10 Sep 2024].
28. Limited AGH. System and method for detecting replay attack. US 20200128043 A1, United States Patent and Trademark Office. Available from: https://patents.google.com/patent/US20200128043A1/en. [Last accessed on 10 Sep 2024].
29. Nakamoto S. Bitcoin: a peer-to-peer electronic cash system. 2009. Available from: http://www.bitcoin.org/bitcoin.pdf. [Last accessed on 6 Sep 2024].
30. Au MH, Susilo W, Mu Y, Chow SSM. Constant-size dynamic K-times anonymous authentication. IEEE Syst J 2013;7:249-61.
31. Ma JPK, Chow SSM. SMART credentials in the multi-queue of slackness (or secure management of anonymous reputation traits without global halting). In: 2023 IEEE 8th European Symposium on Security and Privacy EuroS & P; 2023 Jul 3-7; Delft, Netherlands. IEEE; 2023. pp. 896-912.
32. Doerner J, Kondi Y, Lee E, Shelat A, Tyner L. Threshold BBS+ signatures for distributed anonymous credential issuance. In: 2023 IEEE Symposium on Security and Privacy SP; 2023 May 21-25; San Francisco, CA, USA. IEEE; 2023. pp. 773-89.
33. Wong HWH, Ma JPK, Chow SSM. Secure multiparty computation of threshold signatures made more efficient. Available from: https://www.ndss-symposium.org/wp-content/uploads/2024-601-paper.pdf. [Last accessed on 6 Sep 2024].
34. Anada H. Decentralized multi-authority anonymous credential system with bundled languages on identifiers. In: Maimut D, Oprina AG, Sauveron D, editors. Innovative security solutions for information technology and communications. SecITC 2020. Lecture notes in computer science. Cham: Springer; 2020. pp. 71-90.
35. Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure-preserving signatures and commitments to group elements. In: Rabin T, editor. Advances in Cryptology - CRYPTO 2010. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2010. pp. 209-36.
36. Goldwasser S, Micali S, Rivest RL. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 1988;17:281-308.
37. Wikipedia. Commitment scheme. Available from: https://en.wikipedia.org/wiki/Commitment_scheme. [Last accessed on 6 Sep 2024].
38. Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure-preserving signatures and commitments to group elements. J Cryptol 2016;29:363-421.
39. TEPLA(University of Tsukuba Elliptic Curve and Pairing Library). (in Japanese) Available from: http://www.cipher.risk.tsukuba.ac.jp/tepla/doc/tepladoc2_0_0.pdf. [Last accessed on 6 Sep 2024].
Cite This Article
How to Cite
Anada, H. Decentralized multi-authority anonymous credential system with bundled languages on identifiers in bilinear groups. J. Surveill. Secur. Saf. 2024, 5, 160-83. http://dx.doi.org/10.20517/jsss.2024.08
Download Citation
Export Citation File:
Type of Import
Tips on Downloading Citation
Citation Manager File Format
Type of Import
Direct Import: When the Direct Import option is selected (the default state), a dialogue box will give you the option to Save or Open the downloaded citation data. Choosing Open will either launch your citation manager or give you a choice of applications with which to use the metadata. The Save option saves the file locally for later use.
Indirect Import: When the Indirect Import option is selected, the metadata is displayed and may be copied and pasted as needed.
Comments
Comments must be written in English. Spam, offensive content, impersonation, and private information will not be permitted. If any comment is reported and identified as inappropriate content by OAE staff, the comment will be removed without notice. If you have any queries or need any help, please contact us at support@oaepublish.com.