Attack on U-Prove Revocation Scheme from FC’13 - Passing Verification by Revoked Users
We analyse security of the scheme proposed in the paper “Accumulators and U-Prove Revocation” from the Financial Cryptography 2013 proceedings. Its authors propose an extension for the U-Prove, the credential system developed by Microsoft. This extension allows to revoke tokens (containers for credentials) using a new cryptographic accumulator scheme. We show that, under certain conditions, there exists a weakness that allows a user to pass the verification while using a revoked U-Prove token. It follows that the proposed solution fails to fulfil the primary goal of revocation schemes.
Recently, a closely related system has been published by Microsoft Research in “U-Prove Designated-Verifier Accumulator Revocation Extension, Draft 1 Revision”. Our attack does not work for this scheme, but the draft lacks formal justification and we cannot exclude problems of this kind.
KeywordsAnonymous credential Attribute U-Prove Revocation Attack
- 1.Microsoft: U-Prove. Webpage of the project (2013). http://research.microsoft.com/en-us/projects/u-prove/
- 2.Brands, S.: Untraceable off-line cash in wallets with observers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994)Google Scholar
- 3.Brands, S.A.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy, 1st edn. MIT Press, Cambridge/London (2000). http://www.credentica.com/the_mit_pressbook.html
- 4.Acar, T., Chow, S.S.M., Nguyen, L.: Accumulators and U-Prove revocation. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 189–196. Springer, Heidelberg (2013)Google Scholar
- 5.Lan Nguyen, C.P.: U-Prove designated-verifier accumulator revocation extension. Technical report Draft Revision 1, Microsoft Research (2013)Google Scholar