Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research.

Published bySilvester Cunningham Modified over 9 years ago

Similar presentations

Presentation on theme: "Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research."— Presentation transcript:

1 Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research

2 Outline Accumulators Definitions and Security Anonymous Revocation New scheme U-Prove Overview Revocation methods Revocation with the new accumulator Implementation and Performance

3 Accumulator Primitives Accumulate: Aggregate a set of elements into a single value V. Non-Membership (NM) Proof: Prove that an element x is NOT accumulated in V without revealing any info about x. Membership Proof: Prove that an element x is accumulated in V without revealing any info about x. Efficient Update of V and Proofs’ Witnesses when the accumulated set changes.

4 Accumulator Security Member Completeness: x is accumulated ⇒ Member proof accepts. Member Soundness: x is not accumulated ⇒ Member proof rejects. NM Completeness: x is not accumulated ⇒ NM proof accepts. NM Soundness: x is accumulated ⇒ NM proof rejects. Information hiding: The proofs should be Zero- Knowledge or Witness Indistinguishable.

5 Revoking Anonymous Credentials For Blacklisting Anonymous Credentials, Accumulate blacklisted elements in an accumulator value. NM Proof proves that an element is not accumulated ⇒ The element is not blacklisted. NM Proof does not reveal the element ⇒ Privacy Protection. For Whitelisting Anonymous Credentials, it is similar in the opposite way.

6 Accumulator Scheme – Setup

7 Accumulator Operations

8 Efficient Accumulator NM Proof

9 Outline Accumulators Definitions and Security Anonymous Revocation New scheme U-Prove Overview Revocation methods Revocation with the new accumulator Implementation and Performance

10 U-Prove Participants: Issuer, User (Prover), Service Provider (Verifier). Issuing Protocol between Issuer and User User obtains Tokens from Issuer Token certifies attributes (Driver License, Age > 21,…) Presentation Protocol between User and Service Provider Users proves certain attributes to Service Provider Service Provider learns nothing about other attributes

11 U-Prove Crypto

12 Revocation in U-Prove Four Methods  ID Exposure. It breaks privacy. Force revoked user to reveal the ID (S/N or another attribute)  Credential Update. Not efficient. Short validity time encoded in an attribute Issuer periodically updates valid credentials for download  Credential Revocation Lists. Not efficient. List of proofs that the ID is not in blacklisted items  Accumulators Use an accumulator to aggregate the IDs

13 Pros and Cons of using Accumulators Advantages Costs to generate and verify unrevoked credential proofs do not depend on the blacklist’s size. It works for both whitelisting (membership proofs) and blacklisting (non-membership proofs). Anonymous and unlinkable credentials. Disadvantages Witness update is expensive. More complex.

14 Accumulator-Based Revocation Scheme U-Prove integration is based on non-membership proof Demo Scenario Both User A and User P are issued U-Prove tokens. User A is blacklisted, so A fails to update NM Witness ⇒ User A can not generate anonymous proofs. User P succeeds to update its NM Witness. ⇒ User P can generate valid anonymous proofs.

15 U-Prove Revocation Scenario

16 Setup and Issuing

17 Revocation and Presentation Timestam p OperationBlacklistAccumulator 1 2 3

18 Outline Accumulators Definitions and Security Anonymous Revocation New scheme U-Prove Overview Revocation methods Revocation with the new accumulator Implementation and Performance

19 Software Design Revocation API AnonProofU-ProveIdemix Accumulator API Proof List AccuF S AccuG S Others Application Revocation Method

20 Software Design Abstraction: Single definition of Revocation API (for all revoking methods), Single definition of Accumulator API (for all accumulators). No Redundancy: Single implementation of Revocation using Accumulators. Extendibility: Easy to add new Accumulators or Applications. Changeability: Easy to switch among Accumulators or Revocation methods.

21 Performance Compared with the only previous universal accumulator scheme ATSM

22 Thanks and Questions

Download ppt "Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate
Anonymity without Sacrificing Performance Enhanced Nymble System with Distributed Architecture CS 858 Project Presentation Omid Ardakanian * Nam Pham *

Anonymity without Sacrificing Performance Enhanced Nymble System with Distributed Architecture CS 858 Project Presentation Omid Ardakanian * Nam Pham *
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research.

1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
A New Approach for Anonymous Password Authentication Yanjiang Yang, Jianying Zhou, Feng Bao Institute for Infocomm Research, Singapore Jian Weng Jinan.

A New Approach for Anonymous Password Authentication Yanjiang Yang, Jianying Zhou, Feng Bao Institute for Infocomm Research, Singapore Jian Weng Jinan.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.

7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research.

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research.
VIS-À-VIS CRYPTOGRAPHY : PRIVATE AND TRUSTWORTHY IN-PERSON CERTIFICATIONS IAN MIERS*, MATTHEW GREEN* CHRISTOPH U. LEHMANN †, AVIEL D. RUBIN* *Johns Hopkins.

VIS-À-VIS CRYPTOGRAPHY : PRIVATE AND TRUSTWORTHY IN-PERSON CERTIFICATIONS IAN MIERS*, MATTHEW GREEN* CHRISTOPH U. LEHMANN †, AVIEL D. RUBIN* *Johns Hopkins.
PKI Implementation in the Real World

PKI Implementation in the Real World
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Oct 09, 2004CS573: Network Protocols and Standards1 GARP (Part 2) Network Protocols and Standards Autumn 2004-2005.

Oct 09, 2004CS573: Network Protocols and Standards1 GARP (Part 2) Network Protocols and Standards Autumn

Similar presentations

Ads by Google