跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 宋柏麟
Bo-Lin Sung
論文名稱: 具有匿名撤銷之匿名憑證系統
An Anonymous Credential Scheme with Revocaiton of Anonymity
指導教授: 顏嵩銘
Sung-Ming Yen
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
論文出版年: 2014
畢業學年度: 103
語文別: 英文
論文頁數: 59
中文關鍵詞: 匿名憑證匿名撤銷
外文關鍵詞: Anonymous Credential System
相關次數: 點閱:15下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 現今有許多電子互動行為日常生活中廣泛發生,然而,這些行為可能會產生個人隱私洩漏的危害。為了這項目的,匿名憑證系統隨之誕生。匿名憑證系統允許使用者在電子交易行為中同時保護使用者的隱私安全。在匿名憑證系統中,使用者可以從信賴的機構得到一個憑證,進而向服務提供端證明此憑證合法性與滿足服務提供端所需之屬性且過程中不洩漏使用者除了身份外的任何資訊。而現存匿名憑證系統在此步驟通常使用零知識證明來達到保護使用者隱私不被服務提供端所獲取,然而零知識證明的運算量會隨著要證明的屬性數量呈線性成長。此外現存匿名憑證系統也缺乏有效利用的匿名撤銷機制。

    在本論文中,我們提出一個有效率且具有匿名撤銷之匿名憑證系統。我們利用指定驗證者簽章伴隨變色龍雜湊函數來取代現存匿名憑證系統所採用的零知識證明進而達到效能的提升。此外我們採用群簽章的概念實現一個實際的匿名撤銷方法進而克服現存匿名憑證系統的缺陷。

    Anonymous credential systems promise efficient, and ubiquitous access
    to digital services while preserving user's privacy.
    In an anonymous credential system, a user Alice can obtain credentials from
    an organization, and she can prove to the verifier that she has been given
    appropriate credentials without revealing any information about her identity.
    And the technique of zero-knowledge proof is adopted in existing anonymous
    credential systems to protect the attributes from being known by the verifiers.
    However, the computation of zero-knowledge proof will increase linearly with
    the number of attributes. And the existing anonymous credential systems are
    lake of effective revocation approaches.

    In this thesis, an efficient anonymous credential system with revocation is
    proposed, and the technique of chameleon hash is adopted to replace complex
    zero-knowledge proof for performance improvement. In addition, we use the
    concept of group signatures to implement a practical approach of revocation
    to overcome the disadvantage of existing anonymous credential systems.

    Contents 1 Introduction 1 1.1 Background and Motivation . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Purpose and Contribution . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Preliminary 5 2.1 The Model of Anonymous Credential System . . . . . . . . . . . . . . 5 2.2 Requirements of Anonymous Credential System . . . . . . . . . . . . 6 2.3 Bilinear Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 BB Signatures and BBS+ Signature . . . . . . . . . . . . . . . . . . . 8 2.4.1 BB signature . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4.2 BBS+ signature . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5 ID-based Chameleon Hash . . . . . . . . . . . . . . . . . . . . . . . . 9 2.6 Strong Designated Verifier Signature . . . . . . . . . . . . . . . . . . 11 3 Related Work 15 3.1 Introduction to Anonymous Credentials . . . . . . . . . . . . . . . . . 15 3.2 U-Prove Versus Idemix . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.1 U-Prove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.2 Idemix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.3 Revocation and Comparison . . . . . . . . . . . . . . . . . . . . . . . 22 4 The Proposed Anonymous Credential Scheme 27 4.1 Security Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.2 Modified ID-based DVS Scheme . . . . . . . . . . . . . . . . . . . . . 28 4.3 Our Proposed Anonymous Credential Scheme . . . . . . . . . . . . . 30 5 Security Analysis and Performance Comparison 34 5.1 Security Analysis of Proposed Anonymous Credential Scheme . . . . 34 5.2 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 6 Conclusions 40 6.1 Brief Review of Main Contributions . . . . . . . . . . . . . . . . . . . 40 6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

    [1] A. Lysyanskayak, "Signature Schemes and Applications to Cryptographic Protocol
    Design," PhD thesis, Massachusetts Institute of Technology, 2002.
    [2] A. De Santis, G. Di Crescenzo, G. Persiano, and M. Yung, "On Monotone
    Formula Closure of SZK," Proc. of the 35th Annual Symposium on Foundations
    of Computer Science - SFCS '94, pp. 454--465, 1994.
    [3] A. De Santis, G. Di Crescenzo, and G. Persiano, "Communication-Ecient
    Anonymous Group Identi cation," Proc. of the 5th ACM Conference on Com-
    puter and Communications Security - CCS '98 pp. 73--82, 1998.
    [4] A. Miyaji, M. Nakabayashi, and S. Takano, "New Explicit Conditions of Elliptic
    Curve Traces for FR-Reduction," IEICE Trans. Fundamentals, Vol. E84-A, No.
    5, pp. 1234--1243, 2001.
    [5] C. Paquin and S. Brands, "U-Prove Cryptographic Specification v1.0," Mi-
    crosoft Corporation, 2010.
    [6] C. Paquin and G. Zaverucha, "U-Prove Cryptographic Specification V1.1 (Revision
    3)," Microsoft Corporation, 2013.
    [7] D. Chaum, "Blind Signatures for Untraceable Payments," Proc. of CRYPTO
    '83, LNCS 82, pp. 199--203, 1983.
    [8] D. Chaum, "Security without Identi cation: Transaction systems to Make Big
    Brother Obsolete," Communications of the ACM, Vol. 28, Issue 10, pp. 1030--
    1044, 1985.
    [9] D. Chaum and E. van Heyst, "Group Signatures," Proc. of EUROCRYPT '91,
    LNCS 547, pp. 257--265, 1991.
    [10] D. Chaum and H. Van Antwerpen, "Undeniable Signatures," Proc. of CRYPTO
    '90, LNCS 435, pp. 212--216, 1990.
    [11] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, "Aggregate and Verifiably
    Encrypted Signatures from Bilinear Maps," Proc. of EUROCRYPT '03, LNCS
    2656, pp. 416--432, 2003.
    [12] D. Boneh and X. Boyen, "Short Signatures without Random Oracles," Proc. of
    EUROCRYPT '04, LNCS 3027, pp. 56--73, 2004.
    [13] D. Boneh and H. Shacham, "Group Signatures with Verifier-Local Revocation,"
    Proc. of the 11th ACM conference on Computer and Communications Security
    - CCS '04, pp. 168--177, 2004.
    [14] D. Boneh, X. Boyen, and H. Shacham, "Short Group Signatures," Proc. of
    CRYPTO '04, LNCS 3152, pp. 41--55, 2004.
    [15] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, "Internet
    X.509 Public Key Infrastructure Certi cate and Certificate Revocation
    List (CRL) Pro le," In RFC 3280, 2008.
    [16] D.X. Song, "Practical Forward Secure Group Signature Schemes," Proc. of the
    8th ACM conference on Computer and Communications Security - CCS '01,
    pp. 225--234, 2001.
    [17] E. R. Verheul, "Self-Blindable Credential Certificates from the Weil Pairing,"
    Proc. of ASIACRYPT '01, LNCS 2248, pp. 533--551, 2001.
    [18] G. Ateniese, D. Song, and G. Tsudik, "Quasi-Ecient Revocation of Group Signatures,"
    Proc. of the 6th International Conference on Financial Cryptography
    - FC '02, LNCS 2357, pp. 183--197, 2002.
    [19] G. Ateniese and B. de Medeiros, "Identity-Based Chameleon Hash and Applications,"
    Proc. of the 8th International Conference on Financial Cryptography
    - FC '04, LNCS 3110, pp. 164--180, 2004.
    [20] G. Frey, M. Muller, and H. Ruck. "The Tate Pairing and the Discrete Logarithm
    Applied to Elliptic Curve Cryptosystems," IEEE Transactions on Information
    Theory, Vol. 45, Issue. 5, pp. 1717--1718, 1999.
    [21] H. Krawczyk and T. Rabin, "Chameleon Hashing and Signatures," Proc. of
    NDSS '00, pp. 143--154, 2000.
    [22] J. Camenisch and A. Lysyanskaya, "An Efficient System for Non-transferable
    Anonymous Credentials with Optional Anonymity Revocation," Proc. of EU-
    ROCRYPT '01, LNCS 2045, pp. 93--118, 2001.
    [23] J. Camenisch and A. Lysyanskaya, "Dynamic Accumulators and Application to
    Efficient Revocation of Anonymous Credentials," Proc. of CRYPTO '02, LNCS
    2442, pp. 61--76, 2002.
    [24] J. Camenisch and E. Van Herreweghen, "Design and Implementation of the
    Idemix Anonymous Credential System," Proc. of the 9th ACM Conference on
    Computer and Communications Security - CCS '02, pp. 1030--1044, 2002.
    [25] J. Benaloh and M. de Mare, "One-way Accumulators: A Decentralized Alternative
    to Digital Signatures," Proc. of EUROCRYPT '93, LNCS 4948, pp. 274--
    285, 1993.
    [26] J. Camenisch, M. Kohlweiss, and C. Soriente, "An Accumulator Based on Bilinear
    Maps and Efficient Revocation for Anonymous Credentials," Proc. of PKC
    '09, LNCS 5443, pp. 481--500, 2009.
    [27] J. Camenisch, M. Kohlweiss, and C. Soriente, "Solving Revocation with Effi-
    cient Update of Anonymous Credentials," Proc. of the 7th International Con-
    ference on Security and Cryptography for Networks - SCN '10, LNCS 6280,
    pp. 454--471, 2010.
    [28] M. Jakobsson, "Blackmailing Using Undeniable Signatures," Proc. of EURO-
    CRYPT '94, LNCS 950, pp.425--427, 1994.
    [29] M. Naor, "On Cryptographic Assumptions and Challenges," Proc. of CRYPTO
    '03, LNCS 2729, pp. 96--109, 2003.
    [30] M. Bellare and P. Rogaway, "Random Oracles are Practical: A Paradigm for
    Designing Efficient Protocols," Proc. of the 1th ACM Conference on Computer
    and Communications Security - CCS '93, pp. 62--73, 1993.
    [31] M. Jakobsson, K. Sako, and R. Impagliazzo, "Designated Verifier Proofs and
    their Applications," Proc. of EUROCRYPT '96, LNCS 1070, pp. 143--154, 1996.
    [32] M.H. Au, W. Susilo, and Y. Mu, "Constant-Size Dynamic k-TAA," Proc. of
    the 5th International Conference on Security and Cryptography for Networks -
    SCN '06, LNCS 4116, pp. 111--125, 2006.
    [33] P. Persiano and I. Visconti, "An Anonymous Credential System and a Privacy-
    Aware PKI," Proc. of the 8th Australasian Conference on Information Security
    and Privacy - ACISP '03, LNCS 2727, pp. 27--38, 2003.
    [34] P.P. Tsang, M.H. Au, A. Kapadia, and S.W. Smith, "Blacklistable Anonymous
    Credentials: Blocking Misbehaving Users without TTPS," Proc. of the
    14th ACM Conference on Computer and Communications Security - CCS '07,
    pp. 72--80, 2007.
    [35] S. Brands, "Rethinking Public Key Infrastructure and Digital Certi cates
    Building in Privacy," PhD thesis, Eindhoven Institute of Technology, 1999.
    [36] S. Brands, L. Demuynck, and B. De Decker, "A Practical System for Globally
    Revoking the Unlinkable Pseudonyms of Unknown Users," Proc. of the 12th
    Australasian Conference on Information Security and Privacy - ACISP '07,
    LNCS 4586, pp. 400--415, 2007.
    [37] Security Team, Computer Science Dept, "Speci cation of the Identity Mixer
    Cryptographic Library," IBM Research, Zurich, 2009.
    [38] T. Nakanishi and N. Funabiki, "Verifier-Local Revocation Group Signature
    Schemes with Backward Unlinkability from Bilinear Maps," Proc. of ASI-
    ACRYPT '05, LNCS 3788, pp. 533--548, 2005.
    [39] T. Nakanishi, H. Fujii, Y. Hira, and N. Funabiki, "Revocable Group Signature
    Schemes with Constant Costs for Signing and Verifying," Proc. of PKC '09,
    LNCS 5443, pp. 463--480, 2009.
    [40] V. Miller. "The Weil Pairing, and Its Efficient Calculation," Journal of Cryp-
    tology, Vol. 17, No. 4, pp. 235--261, 2004.
    [41] W. Susilo, F. Zhang, and Y. Mu, "Identity-Based Strong Designated Verifier
    Signature Schemes," Proc. of the 9th Australasian Conference on Information
    Security and Privacy - ACISP '04, LNCS 3108, pp. 313--324, 2004.
    [42] Y. Desmedt and M. Yung, "Weaknesses with Undeniable Signature Schemes,"
    Proc. of EUROCRYPTO '91, LNCS 547, pp. 205--220, 1991.
    [43] Y. Desmedt, C. Goutier, and S.Bengio, "Special Uses and Abuses of the Fiat-
    Shamir Passport Protocol," Proc. of CRYPTO '87, LNCS 293, pp. 21--39, 1987.

    QR CODE
    :::