Abstract
Anonymity revocation is an essential component of credential issuing systems since unconditional anonymity is incompatible with pursuing and sanctioning credential misuse. However, current anonymity revocation approaches have shortcomings with respect to the auditability of the revocation process. In this paper, we propose a novel anonymity revocation approach based on privacy-preserving blockchain-based smart contracts, where the code self-execution property ensures availability and public ledger immutability provides auditability. We describe an instantiation of this approach, provide an implementation thereof and conduct a series of evaluations in terms of running time, gas cost and latency. The results show that our scheme is feasible and efficient.
R. Li and Q. Wang were supported by the National Science Foundation of China under Grant No. 11601220.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abe, M., Ohkub, M.: Provably secure air blind signatures with tight revocation. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 583–601. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_34
Blazy, O., Canard, S., Fuchsbauer, G., Gouget, A., Sibert, H., Traoré, J.: Achieving optimal anonymity in transferable E-cash with a judge. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 206–223. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21969-6_13
Brickell, E.F., Gemmell, P., Kravitz, D.W.: Trustee-based tracing extensions to anonymous cash and the making of anonymous change. In: SODA (1995)
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. IACR Cryptology ePrint Archive, p. 191 (2019)
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. Cryptology ePrint Archive, Report 2019/191 (2019). https://eprint.iacr.org/2019/191
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7
Camenisch, J., Maurer, U., Stadler, M.: Digital payment systems with passive anonymity-revoking trustees. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 33–43. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61770-1_26
Camenisch, J., Mödersheim, S., Sommer, D.: A formal model of identity mixer. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 198–214. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15898-8_13
Canard, S., Traoré, J.: On fair E-cash systems based on group signature schemes. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 237–248. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45067-X_21
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Cheng, R., et al.: Ekiden: a platform for confidentiality-preserving, trustworthy, and performant smart contract execution. arXiv:1804.05141 [cs], April 2018
Escala, A., Herranz, J., Morillo, P.: Revocable attribute-based signatures with adaptive security in the standard model. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 224–241. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21969-6_14
Eyal, I., Gencer, A.E., Sirer, E.G., Van Renesse, R.: Bitcoin-NG: a scalable blockchain protocol. In: 13th USENIX Symposium on Networked Systems Design and Implementation NSDI 16, pp. 45–59 (2016)
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC (1990)
Fuchsbauer, G., Vergnaud, D.: Fair blind signatures without random oracles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 16–33. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9_2
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Hufschmitt, E., Traoré, J.: Fair blind signatures revisited. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 268–292. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_14
Jakobsson, M., Yung, M.: Revokable and versatile electronic money (extended abstract). In: ACM Conference on Computer and Communications Security (1996)
Jakobsson, M., Yung, M.: Distributed “magic ink” signatures. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 450–464. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_31
Kalodner, H., Goldfeder, S., Chen, X., Weinberg, S.M., Felten, E.W.: Arbitrum: scalable, private smart contracts. In: 27th USENIX Security Symposium, pp. 1353–1370 (2018)
Kiayias, A., Zhou, H.-S.: Concurrent blind signatures without random oracles. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 49–62. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_4
Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858, May 2016
Kwon, T.: Privacy preservation with X.509 standard certificates. Inf. Sci. 181(13), 2906–2921 (2011)
Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 254–269. ACM, New York (2016)
McCorry, P., Shahandashti, S.F., Hao, F.: A smart contract for boardroom voting with maximum voter privacy. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 357–375. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_20
McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy - HASP 2013, Tel-Aviv, Israel, p. 1. ACM Press (2013)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Okamoto, T., Ohta, K.: Divertible zero knowledge interactive proofs and commutative random self-reducibility. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 134–149. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_16
Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1. 1. Technical report, Microsoft Corporation (2011)
Park, S., Park, H., Won, Y., Lee, J., Kent, S.: Traceable anonymous certificate. Technical report RFC5636, RFC Editor, August 2009. https://doi.org/10.17487/rfc5636, https://www.rfc-editor.org/info/rfc5636
Rannenberg, K., Camenisch, J., Sabouri, A.: Attribute-based Credentials for Trust. Identity in the Information Society. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-14439-9
von Solms, S., Naccache, D.: On blind signatures and perfect crimes. Comput. Secur. 11(6), 581–583 (1992)
Sonnino, A., Al-Bassam, M., Bano, S., Meiklejohn, S., Danezis, G.: Coconut: Threshold issuance selective disclosure credentials with applications to distributed ledgers. arXiv preprint arXiv:1802.07344 (2018)
Stadler, M., Piveteau, J.-M., Camenisch, J.: Fair blind signatures. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 209–219. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_17
Szabo, N.: Smart contracts: building blocks for digital markets. EXTROPY J. Transhumanist Thought (16) (1996)
Zamfir, V.: Casper the friendly ghost: a correct by construction blockchain consensus protocol. White paper (2017). https://github.com/ethereum/research/blob/master/papers/caspertfg/caspertfg.pdf
Acknowledgement
The authors would like to thank Feng Liu, Geyang Wang and Alphea Pagalaran for their constructive suggestions on the manuscript. The authors would also like to thank the anonymous referees for their valuable comments that improved the quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix A
A Appendix A
This appendix gives an informal security proof of credential tracing and identity tracing for the concrete instantiation described in Sect. 5.
Theorem 1
The credential tracing of our scheme is auditable under the following assumptions that the TEE is a secure enclave, the DDH assumption holds, the fair blind signature scheme is signature traceable and the blockchain meets the property of liveness.
Proof
Given a valid identity, say \(\xi ^{\upsilon }_{0}\), there are four possible ways for an adversary to obtain its corresponding credential (signature) \(\varSigma _{0}\) without being audited. (i) An adversary has successfully accessed the private key \(x_t\) which is stored in the TEE. Thus, the adversary can locally calculate the elliptic-curve exponentiation (see Eqs. (1) and (2)) to conduct the complete tracing activity without interacting with the blockchain. (ii) As mentioned in sub-protocol six of credential tracing, the contract TEE sends the tracing resulting \(outp_{new}^{t}\) and \(state_{new}^{t}\) to the tracer through a DDH-based secure channel. A compromised secure channel makes an adversary free to lift anonymity with auditability. (iii) An adversary has successfully forged a valid signature \(\varSigma _{0}^{\star }\) independently from the blockchain, where \(\varSigma _{0}^{\star }\) meets the conditions: \( \varSigma _{0}^{\star } \ne \varSigma _{0}\) and \(1 \leftarrow {\mathsf {Match}}_{\mathsf {sig}}(\varSigma _{0}, \varSigma _{0}^{\star })\). (iv) An adversary called the smart contract \(\widehat{contract}\) and successfully hid the invoked transactions from the inspector.
Scenario (i) contradicts our assumption that the TEE provides an isolated secure environment. The proof of Scenario (ii) is done by contradiction. Suppose that there exists an adversary \({\mathcal {A}}\) that compromised the secure channel with success probability \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {sc}}}\), where \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {sc}}}\) is not negligible. Then, based on \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {sc}}}\) of the adversary \({\mathcal {A}}\), we can construct another adversary \({\mathcal {B}}\) to solve DDH problem with non-negligible advantage \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {ddh}}}\). However, it contradicts the DDH assumption. Scenario (iii) indicates two properties: an adversary has successfully forged a signature and the forged signature and the original signature can be linked to one identity. These properties violate the unforgeability and signature traceability of fair blind signature scheme, which was proved secure by Abe [1]. Liveness [16] guarantees that the submitted transactions will eventually be included in the ledger. For Scenario (4), if an adversary can successfully hide the invoked transaction, that indicates the transaction does not eventually appear in the ledger, which contradicts our assumption that the blockchain meets the liveness property.
Theorem 2
The identity tracing of our scheme is auditable under the following assumptions that the TEE is a secure enclave, the DDH assumption holds, the fair blind signature scheme is session traceable and the blockchain meets the property of liveness.
Proof
Given a valid credential (signature), say \(\varSigma _{0}\), there are four possible ways for an adversary to illegally obtain the corresponding identity \(\xi ^{\upsilon }_{0}\) without being audited. An adversary has successfully (i) accessed the TEE, (ii) compromised the DDH-based secure channel, (iii) linked one credential to more than one identity and (iv) damaged the liveness of blockchain. Scenario (i), (ii) and (iv) in Theorem 2 are the same as Theorem 1. Thus, this part of proof is omitted here. Scenario (iii) violates the unforgeability and the session traceability of fair blind signature scheme, which was proved secure by Abe [1].
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, R., Galindo, D., Wang, Q. (2019). Auditable Credential Anonymity Revocation Based on Privacy-Preserving Smart Contracts. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2019 2019. Lecture Notes in Computer Science(), vol 11737. Springer, Cham. https://doi.org/10.1007/978-3-030-31500-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-31500-9_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31499-6
Online ISBN: 978-3-030-31500-9
eBook Packages: Computer ScienceComputer Science (R0)