## Abstract

Attribute-based credentials (ABCs, sometimes also anonymous credentials) are a core cryptographic building block of privacy-friendly authentication systems, allowing users to obtain credentials on attributes and prove possession of these credentials in an unlinkable fashion. Thereby, users have full control over which attributes the user wants to reveal to a third party while offering high authenticity guarantees to the receiver. Unfortunately, up to date, all known ABC systems require access to all attributes in the clear at the time of proving possession of a credential to a third party. This makes it hard to offer privacy-preserving identity management systems “as a service,” as the user still needs specific key material and/or dedicated software locally, e.g., on his device.

We address this gap by proposing a new cloud-based ABC system where a dedicated cloud service (“wallet”) can present the users’ credentials to a third-party *without* accessing the attributes in the clear. This enables new privacy-preserving applications of ABCs “in the cloud.”

This is achieved by carefully integrating proxy re-encryption with structure-preserving signatures and zero-knowledge proofs of knowledge. The user obtains credentials on his attributes (encrypted under his public key) and uploads them to the wallet, together with a specific re-encryption key. To prove a possession, the wallet re-encrypts the ciphertexts to the public key of the receiving third party and proves, in zero-knowledge, that all computations were done honestly. Thereby, the wallet never sees any user attribute in the clear.

We show the practical efficiency of our scheme by giving concrete benchmarks of a prototype implementation.

### Keywords

- Attribute-based credentials
- Privacy-preserving authentication
- Proxy re-encryption
- Implementation

The project leading to this publication has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No 653454 (CREDENTIAL).

This is a preview of subscription content, access via your institution.

## Buying options

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions## Notes

- 1.
Confer, e.g., the experimental service of identity mixer, https://console.ng.bluemix.net/docs/services/identitymixer/index.html.

- 2.
Note that is a natural and unavoidable assumption as issuers and service providers are intended to learn (parts of) the attributes, opening a trivial way for the wallet to learn attributes in the case of collusion.

## References

Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_37

Akinyele, J.A., Green, M., Rubin, A.D.: Charm: a framework for rapidly prototyping cryptosystems. In: NDSS (2012)

Aono, Y., Boyen, X., Phong, L.T., Wang, L.: Key-private proxy re-encryption under LWE. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 1–18. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03515-4_1

Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: NDSS (2005)

Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_7

Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122

Brands, S.: Rethinking public key infrastructure and digital certificates - building in privacy. Ph.D. thesis, Eindhoven Institute of Technology (1999)

Camenisch, J., Dubovitskaya, M., Haralambiev, K., Kohlweiss, M.: Composable and modular anonymous credentials: definitions and practical constructions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 262–288. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_11

Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: ACM CCS (2002)

Camenisch, J., Krenn, S., Lehmann, A., Mikkelsen, G.L., Neven, G., Pedersen, M.Ø.: Formal treatment of privacy-enhancing credential systems. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 3–24. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_1

Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7

Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_20

Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_4

Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252

Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM

**24**, 84–88 (1981)Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM

**28**, 1030–1044 (1985)European Parliament and Council of the European Union: Regulation (EC) No 45/2001. Official Journal of the European Union (2001)

European Parliament and Council of the European Union: Directive 2009/136/EC. Official Journal of the European Union (2009)

Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

Hanser, C., Slamanig, D.: Structure-preserving signatures on equivalence classes and their application to anonymous credentials. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 491–511. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_26

Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_21

Nakanishi, T., Fujii, H., Hira, Y., Funabiki, N.: Revocable group signature schemes with constant costs for signing and verifying. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 463–480. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_26

Nuñez, D., Agudo, I., Lopez, J.: NTRUReEncrypt: an efficient proxy re-encryption scheme based on NTRU. In: ASIA CCS (2015)

Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1.1 (revision 2). Technical report, Microsoft Corporation, April 2013

Sabouri, A.: A cloud-based model to facilitate mobility of privacy-preserving attribute-based credential users. In: TrustCom/BigDataSE/ISPA (2015)

Schmidt, H.A.: National strategy for trusted identities in cyberspace. Cyberwar Resources Guide, Item 163 (2010)

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## A Proof of Theorem 4.3

### A Proof of Theorem 4.3

### Proof

We prove the correctness, unforgeability, unlinkability, and wallet-privacy properties of \(\mathsf {EABC}\) in a sequence of claims:

Correctness is easy to verify. By the correctness of \(\mathsf {PRE}\), the re-randomization property of \(\mathsf {PRE}\) ciphertexts, the correctness of \(\mathsf {SIG}\), and correctness of \(\mathsf {ZKP} \), correctness of \(\mathsf {EABC}\) readily follows.

### Claim

Under the binding property of \(\mathsf {COM}\), the strong EUF-CMA-security of \(\mathsf {SIG}\), and the soundness of \(\mathsf {ZKP} \), \(\mathsf {EABC}\) is unforgeable. More concretely, for any PPT adversaries \(\mathsf {A},\mathsf {A} ',\mathsf {A} '',\mathsf {A} '''\), we have

for any \(\lambda \in \mathbb {N} \) and polynomial \(q=q(\lambda )\).

### Proof

We proceed by a sequence of reduction games and argue that subverting the unforgeability of \(\mathsf {EABC}\) implies either that binding of \(\mathsf {COM}\), the strong EUF-CMA-security of \(\mathsf {SIG}\), or the soundness of \(\mathsf {ZKP} \) does not hold. Therefore, let \(S_i\) be the event that \(\mathsf {A} \) wins (i.e., the associated experiment outputs 1) in Game *i*.

**Game 1.** Game 1 is the EABC unforgeability experiment with \(\mathsf {A} \) and, hence, we have \(\Pr \left[ {S_1}\right] =\mathsf {Adv}^{\mathsf {unforge}}_{\mathsf {EABC},\mathsf {A}}(\lambda ).\)

**Game 2.** Game 2 is identical to Game 1, except that the event *F* occurs where we have \(\mathsf {Open} ( pk _{\mathsf{U},\mathsf {PRE}},com,w_0)=\mathsf {Open} ( pk '_{\mathsf{U},\mathsf {PRE}},com,w_1)\) with \( pk _{\mathsf{U},\mathsf {PRE}}\ne pk '_{\mathsf{U},\mathsf {PRE}}\), for some \((com,w_0)=\mathsf {Com} ( pp _\mathsf {COM}, pk _{\mathsf{U},\mathsf {PRE}})\), \((com,w_1)=\mathsf {Com} ( pp _\mathsf {COM}, pk '_{\mathsf{U},\mathsf {PRE}})\), i.e., as computation within the issuer or user-credential oracle on input of \(\mathsf {A} \). We argue that \(\Pr \left[ {F}\right] \le q_O\cdot \mathsf {Adv}^{\mathsf {hiding}}_{\mathsf {COM},\mathsf {A}}(\lambda )\) as the occurring of *F* directly yields a successful PPT adversary on the binding property of \(\mathsf {COM}\), where *q* is the total number of \(\mathsf {A}\)-queries to the oracles. Essentially, in a reduction between the binding experiment of \(\mathsf {COM}\) and unforgeability of \(\mathsf {EABC} \), once *F* occurs with \(\mathsf {A}\), the experiment (which has received \( pp \) from the binding experiment at the beginning and forwarded \( pp \) as part of the public system parameter to \(\mathsf {A}\)), forwards \((com, pk _{\mathsf{U},\mathsf {PRE}},w_0, pk '_{\mathsf{U},\mathsf {PRE}},w_1)\) to the binding experiment which yields a successful PPT adversary \(\mathsf {A} '\). Hence, we have \(|\Pr \left[ {S_2}\right] -\Pr \left[ {S_1}\right] |\le \Pr \left[ {F}\right] \le q\cdot \mathsf {Adv}^{\mathsf {hiding}}_{\mathsf {COM},\mathsf {A} '}(\lambda ).\)

**Game 3.** Game 3 is identical to Game 2, except that the event \(F'\) occurs where we have \(\mathsf {Ver} (\text {pk}_\mathsf{I},((c_i)_i,com),\sigma ^*)=1\), for \(((c_i)_i,com)\) not previously occurred for some potentially already occurred \(\sigma ^*\), i.e., as extracted signature from the \(\mathsf {A}\)-presentation \(p^*\) at the end of the experiment. We argue that \(\Pr \left[ {F'}\right] \le q_O\cdot \mathsf {Adv}^{\mathsf {s-euf-cma}}_{\mathsf {SIG},\mathsf {A}}(\lambda )\) as the occurring of \(F'\) directly yields a successful PPT adversary on the strong EUF-CMA property of \(\mathsf {SIG}\). Essentially, in a reduction between strong EUF-CMA of \(\mathsf {SIG}\) and unforgeability of \(\mathsf {EABC} \), once \(F'\) occurs with \(\mathsf {A}\), the experiment (which has received \(\text {pk}_\mathsf{I}\) from the strong EUF-CMA experiment at the beginning and is able to query signatures under \(\text {pk}_\mathsf{I}\)), forwards \((((c_i)_i,com),\sigma ^*)\), extracted from the presentation \(p^*\) to the strong EUF-CMA experiment which yields a successful PPT adversary \(\mathsf {A} ''\). Hence, we have \(|\Pr \left[ {S_3}\right] -\Pr \left[ {S_2}\right] |\le \Pr \left[ {F'}\right] \le \mathsf {Adv}^{\mathsf {s-euf-cma}}_{\mathsf {SIG},\mathsf {A} ''}(\lambda ).\)

**Game 4.** Game 4 is identical to Game 3, except that the event \(F''\) occurs where we have a valid \(\mathsf {A}\)-presentation \(p^*\) at the end of the experiment, but the \(p^*\) contains values that are not in the language used in the ZKP system. We argue that \(\Pr \left[ {F''}\right] \le \mathsf {Adv}^{\mathsf {soundness}}_{\mathsf {ZKP},\mathsf {A}}(\lambda )\) as the occurring of the event directly yields a successful adversary on the soundness property of \(\mathsf {ZKP} \). Essentially, in a reduction between the soundness property of \(\mathsf {ZKP} \) and strong EUF-CMA-security of \(\mathsf {EABC} \), once \(F''\) occurs with \(\mathsf {A}\), the experiment forwards the values not in the language together with the proof from \(p^*\) to the soundness experiment of \(\mathsf {ZKP} \) which yields a successful PPT adversary \(\mathsf {A} '''\). Hence, we have \(|\Pr \left[ {S_4}\right] -\Pr \left[ {S_3}\right] |\le \Pr \left[ {F''}\right] \le \mathsf {Adv}^{\mathsf {soundness}}_{\mathsf {SIG},\mathsf {A} '''}(\lambda ).\)

**Game 5.** Game 5 is identical to Game 4 and we argue that now the adversary has at most negligible advantage (by the perfect correctness of the underlying primitives). Hence, \(\Pr \left[ {S_4}\right] =\Pr \left[ {S_5}\right] \le \mathsf {negl}(\lambda )\).

Hence, we conclude that Eq. (1) holds. \(\square \)

### Claim

Assuming the anonymous property of \(\mathsf {PRE}\), \(\mathsf {EABC}\) is unlinkable. More concretely, for any PPT adversaries \(\mathsf {A},\mathsf {A} ',\mathsf {A} ''\), we have

for any \(\lambda \in \mathbb {N} \) and polynomial \(q=q(\lambda )\).

### Proof

We proceed by a sequence of reduction games and argue that subverting the unlinkability of \(\mathsf {EABC}\) implies either that the anonymity property of \(\mathsf {PRE}\) or the soundness property of \(\mathsf {ZKP} \) does not hold. Therefore, let \(S_i\) be the event that \(\mathsf {A} \) wins (i.e., the associated experiment outputs 1) in Game *i*.

**Game 1.** Game 1 is the EABC unlinkability experiment with \(\mathsf {A} \) and, hence, we have \(\Pr \left[ {S_1}\right] =\mathsf {Adv}^{\mathsf {unlink}}_{\mathsf {EABC},\mathsf {A}}(\lambda ).\)

**Game 2.** Game 2 is identical to Game 1, except that change the way credentials are generated for \(\mathsf {A}\). In this game, we do not need the \(\mathsf {ZKP} \) witness (and, hence, the target-user secret keys) anymore and rely on the zero-knowledge property of \(\mathsf {ZKP} \). (That is that we can use a simulator in the sense of \(\mathsf {ZKP} \) to generate proofs.) This change is purely syntactical. Hence, we have \(\Pr \left[ {S_2}\right] =\Pr \left[ {S_1}\right] .\)

**Game 3.** Game 3 is identical to Game 2, except that we change that the ciphertext in the issuance are generated under an independent and an honestly sampled user public key different to the target-user ciphertext. Hence, \(\mathsf {A}\) only receives credentials under a different user public key compared to the target public keys. We argue that if \(\mathsf {A}\) can distinguish under which public keys the ciphertexts are generated, we can directly use \(\mathsf {A}\) to break the anonymity of the underlying \(\mathsf {PRE}\). Essentially, in a reduction between anonymity of \(\mathsf {PRE}\) and unlinkability of \(\mathsf {EABC} \), the experiment (which has received \( pk _0, pk _1\) from the anonymous experiment at the beginning, forwards \(\mathsf {A}\) ’s guess to its own challenger which yields a successful PPT adversary \(\mathsf {A} '\) with probability 1 / *q*, for *q* \(\mathsf {A}\)-queries to \(\mathsf {Cred}\). Hence, we have \(|\Pr \left[ {S_3}\right] -\Pr \left[ {S_2}\right] |\le q\cdot \mathsf {Adv}^{\mathsf {pre-anon}}_{\mathsf {PRE},\mathsf {A} '}(\lambda ).\)

**Game 4.** Game 4 is identical to Game 3 and we argue that now the adversary has at most negligible advantage in guessing *b*. Hence, \(\Pr \left[ {S_4}\right] =\Pr \left[ {S_3}\right] \le \mathsf {negl}(\lambda )\).

Hence, we conclude that Eq. (2) holds. \(\square \)

### Claim

Under the IND-CPA security of \(\mathsf {PRE}\), \(\mathsf {EABC}\) is wallet-private. More concretely, for any PPT adversaries \(\mathsf {A},\mathsf {A} '\), we have

for any \(\lambda \in \mathbb {N} \) and polynomial \(\ell =\ell (\lambda )\).

### Proof

We proceed by a sequence of reduction games and argue that subverting the unlinkability of \(\mathsf {EABC}\) implies that the IND-CPA property of \(\mathsf {PRE}\) does not hold. Therefore, let \(S_i\) be the event that \(\mathsf {A} \) wins (i.e., the associated experiment outputs 1) in Game *i*.

**Game 1.** Game 1 is the EABC unforgeability experiment with \(\mathsf {A} \) and, hence, we have \(\Pr \left[ {S_1}\right] =\mathsf {Adv}^{\mathsf {wallet-privacy}}_{\mathsf {EABC},\mathsf {A}}(\lambda ).\)

**Game 2.** Game 2 is identical to Game 1, except that we now do not know the target secret key \( sk ^*\). However, \( sk ^*\) is solely used for the ZKP system within the issuance and, hence, we can use the ZKP zero-knowledge property to provide valid proofs without the witness (where \( sk ^*\) is part of) using a simulator. This change is purely syntactical. Hence, we have \(\Pr \left[ {S_3}\right] =\Pr \left[ {S_2}\right] .\)

**Game 3.** Game 3 is identical to Game 2, except that we now exchange all ciphertexts with ciphertexts of “0"s. In a reduction between the IND-CPA-security property of \(\mathsf {PRE} \) and wallet-privacy of \(\mathsf {EABC} \), the experiment forwards the answer from \(\mathsf {A}\) as its own guess to the PRE IND-CPA-security experiment (given the public key from the IND-CPA experiment as target public key for the wallet-privacy adversary). Hence, we have \(|\Pr \left[ {S_3}\right] -\Pr \left[ {S_2}\right] |\le \ell \cdot \mathsf {Adv}^{\mathsf {pre-ind-cpa}}_{\mathsf {PRE},\mathsf {A} '}(\lambda ).\)

**Game 4.** Game 4 is identical to Game 3 and we argue that now the adversary has at most negligible advantage (by the perfect correctness of the underlying primitives), otherwise, some event occurred which would yield another game. Hence, \(\Pr \left[ {S_3}\right] =\Pr \left[ {S_4}\right] \le \mathsf {negl}(\lambda )\).

Hence, we conclude that Eq. (3) holds. \(\square \)

Taken all claims together, this yields the proof. \(\square \)

## Rights and permissions

## Copyright information

© 2018 Springer Nature Switzerland AG

## About this paper

### Cite this paper

Krenn, S., Lorünser, T., Salzer, A., Striecks, C. (2018). Towards Attribute-Based Credentials in the Cloud. In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_9

### Download citation

DOI: https://doi.org/10.1007/978-3-030-02641-7_9

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-030-02640-0

Online ISBN: 978-3-030-02641-7

eBook Packages: Computer ScienceComputer Science (R0)