Skip to main content

Auditable Credential Anonymity Revocation Based on Privacy-Preserving Smart Contracts

  • Conference paper
  • First Online:
Data Privacy Management, Cryptocurrencies and Blockchain Technology (DPM 2019, CBT 2019)

Abstract

Anonymity revocation is an essential component of credential issuing systems since unconditional anonymity is incompatible with pursuing and sanctioning credential misuse. However, current anonymity revocation approaches have shortcomings with respect to the auditability of the revocation process. In this paper, we propose a novel anonymity revocation approach based on privacy-preserving blockchain-based smart contracts, where the code self-execution property ensures availability and public ledger immutability provides auditability. We describe an instantiation of this approach, provide an implementation thereof and conduct a series of evaluations in terms of running time, gas cost and latency. The results show that our scheme is feasible and efficient.

R. Li and Q. Wang were supported by the National Science Foundation of China under Grant No. 11601220.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/typex-1/auditable-credential-core.

References

  1. Abe, M., Ohkub, M.: Provably secure air blind signatures with tight revocation. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 583–601. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_34

    Chapter  Google Scholar 

  2. Blazy, O., Canard, S., Fuchsbauer, G., Gouget, A., Sibert, H., Traoré, J.: Achieving optimal anonymity in transferable E-cash with a judge. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 206–223. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21969-6_13

    Chapter  MATH  Google Scholar 

  3. Brickell, E.F., Gemmell, P., Kravitz, D.W.: Trustee-based tracing extensions to anonymous cash and the making of anonymous change. In: SODA (1995)

    Google Scholar 

  4. Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. IACR Cryptology ePrint Archive, p. 191 (2019)

    Google Scholar 

  5. Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. Cryptology ePrint Archive, Report 2019/191 (2019). https://eprint.iacr.org/2019/191

  6. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7

    Chapter  Google Scholar 

  7. Camenisch, J., Maurer, U., Stadler, M.: Digital payment systems with passive anonymity-revoking trustees. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 33–43. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61770-1_26

    Chapter  Google Scholar 

  8. Camenisch, J., Mödersheim, S., Sommer, D.: A formal model of identity mixer. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 198–214. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15898-8_13

    Chapter  Google Scholar 

  9. Canard, S., Traoré, J.: On fair E-cash systems based on group signature schemes. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 237–248. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45067-X_21

    Chapter  Google Scholar 

  10. Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18

    Chapter  Google Scholar 

  11. Cheng, R., et al.: Ekiden: a platform for confidentiality-preserving, trustworthy, and performant smart contract execution. arXiv:1804.05141 [cs], April 2018

  12. Escala, A., Herranz, J., Morillo, P.: Revocable attribute-based signatures with adaptive security in the standard model. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 224–241. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21969-6_14

    Chapter  MATH  Google Scholar 

  13. Eyal, I., Gencer, A.E., Sirer, E.G., Van Renesse, R.: Bitcoin-NG: a scalable blockchain protocol. In: 13th USENIX Symposium on Networked Systems Design and Implementation NSDI 16, pp. 45–59 (2016)

    Google Scholar 

  14. Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC (1990)

    Google Scholar 

  15. Fuchsbauer, G., Vergnaud, D.: Fair blind signatures without random oracles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 16–33. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9_2

    Chapter  Google Scholar 

  16. Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10

    Chapter  Google Scholar 

  17. Hufschmitt, E., Traoré, J.: Fair blind signatures revisited. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 268–292. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_14

    Chapter  Google Scholar 

  18. Jakobsson, M., Yung, M.: Revokable and versatile electronic money (extended abstract). In: ACM Conference on Computer and Communications Security (1996)

    Google Scholar 

  19. Jakobsson, M., Yung, M.: Distributed “magic ink” signatures. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 450–464. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_31

    Chapter  Google Scholar 

  20. Kalodner, H., Goldfeder, S., Chen, X., Weinberg, S.M., Felten, E.W.: Arbitrum: scalable, private smart contracts. In: 27th USENIX Security Symposium, pp. 1353–1370 (2018)

    Google Scholar 

  21. Kiayias, A., Zhou, H.-S.: Concurrent blind signatures without random oracles. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 49–62. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_4

    Chapter  Google Scholar 

  22. Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858, May 2016

    Google Scholar 

  23. Kwon, T.: Privacy preservation with X.509 standard certificates. Inf. Sci. 181(13), 2906–2921 (2011)

    Article  Google Scholar 

  24. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 254–269. ACM, New York (2016)

    Google Scholar 

  25. McCorry, P., Shahandashti, S.F., Hao, F.: A smart contract for boardroom voting with maximum voter privacy. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 357–375. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_20

    Chapter  Google Scholar 

  26. McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy - HASP 2013, Tel-Aviv, Israel, p. 1. ACM Press (2013)

    Google Scholar 

  27. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)

    Google Scholar 

  28. Okamoto, T., Ohta, K.: Divertible zero knowledge interactive proofs and commutative random self-reducibility. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 134–149. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_16

    Chapter  Google Scholar 

  29. Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1. 1. Technical report, Microsoft Corporation (2011)

    Google Scholar 

  30. Park, S., Park, H., Won, Y., Lee, J., Kent, S.: Traceable anonymous certificate. Technical report RFC5636, RFC Editor, August 2009. https://doi.org/10.17487/rfc5636, https://www.rfc-editor.org/info/rfc5636

  31. Rannenberg, K., Camenisch, J., Sabouri, A.: Attribute-based Credentials for Trust. Identity in the Information Society. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-14439-9

    Book  Google Scholar 

  32. von Solms, S., Naccache, D.: On blind signatures and perfect crimes. Comput. Secur. 11(6), 581–583 (1992)

    Article  Google Scholar 

  33. Sonnino, A., Al-Bassam, M., Bano, S., Meiklejohn, S., Danezis, G.: Coconut: Threshold issuance selective disclosure credentials with applications to distributed ledgers. arXiv preprint arXiv:1802.07344 (2018)

  34. Stadler, M., Piveteau, J.-M., Camenisch, J.: Fair blind signatures. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 209–219. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_17

    Chapter  Google Scholar 

  35. Szabo, N.: Smart contracts: building blocks for digital markets. EXTROPY J. Transhumanist Thought (16) (1996)

    Google Scholar 

  36. Zamfir, V.: Casper the friendly ghost: a correct by construction blockchain consensus protocol. White paper (2017). https://github.com/ethereum/research/blob/master/papers/caspertfg/caspertfg.pdf

Download references

Acknowledgement

The authors would like to thank Feng Liu, Geyang Wang and Alphea Pagalaran for their constructive suggestions on the manuscript. The authors would also like to thank the anonymous referees for their valuable comments that improved the quality of the paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Qi Wang .

Editor information

Editors and Affiliations

A Appendix A

A Appendix A

This appendix gives an informal security proof of credential tracing and identity tracing for the concrete instantiation described in Sect. 5.

Theorem 1

The credential tracing of our scheme is auditable under the following assumptions that the TEE is a secure enclave, the DDH assumption holds, the fair blind signature scheme is signature traceable and the blockchain meets the property of liveness.

Proof

Given a valid identity, say \(\xi ^{\upsilon }_{0}\), there are four possible ways for an adversary to obtain its corresponding credential (signature) \(\varSigma _{0}\) without being audited. (i) An adversary has successfully accessed the private key \(x_t\) which is stored in the TEE. Thus, the adversary can locally calculate the elliptic-curve exponentiation (see Eqs. (1) and (2)) to conduct the complete tracing activity without interacting with the blockchain. (ii) As mentioned in sub-protocol six of credential tracing, the contract TEE sends the tracing resulting \(outp_{new}^{t}\) and \(state_{new}^{t}\) to the tracer through a DDH-based secure channel. A compromised secure channel makes an adversary free to lift anonymity with auditability. (iii) An adversary has successfully forged a valid signature \(\varSigma _{0}^{\star }\) independently from the blockchain, where \(\varSigma _{0}^{\star }\) meets the conditions: \( \varSigma _{0}^{\star } \ne \varSigma _{0}\) and \(1 \leftarrow {\mathsf {Match}}_{\mathsf {sig}}(\varSigma _{0}, \varSigma _{0}^{\star })\). (iv) An adversary called the smart contract \(\widehat{contract}\) and successfully hid the invoked transactions from the inspector.

Scenario (i) contradicts our assumption that the TEE provides an isolated secure environment. The proof of Scenario (ii) is done by contradiction. Suppose that there exists an adversary \({\mathcal {A}}\) that compromised the secure channel with success probability \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {sc}}}\), where \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {sc}}}\) is not negligible. Then, based on \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {sc}}}\) of the adversary \({\mathcal {A}}\), we can construct another adversary \({\mathcal {B}}\) to solve DDH problem with non-negligible advantage \({\mathsf {Adv}_{{{\mathcal {A}}}}^{\mathrm {ddh}}}\). However, it contradicts the DDH assumption. Scenario (iii) indicates two properties: an adversary has successfully forged a signature and the forged signature and the original signature can be linked to one identity. These properties violate the unforgeability and signature traceability of fair blind signature scheme, which was proved secure by Abe [1]. Liveness [16] guarantees that the submitted transactions will eventually be included in the ledger. For Scenario (4), if an adversary can successfully hide the invoked transaction, that indicates the transaction does not eventually appear in the ledger, which contradicts our assumption that the blockchain meets the liveness property.

Theorem 2

The identity tracing of our scheme is auditable under the following assumptions that the TEE is a secure enclave, the DDH assumption holds, the fair blind signature scheme is session traceable and the blockchain meets the property of liveness.

Proof

Given a valid credential (signature), say \(\varSigma _{0}\), there are four possible ways for an adversary to illegally obtain the corresponding identity \(\xi ^{\upsilon }_{0}\) without being audited. An adversary has successfully (i) accessed the TEE, (ii) compromised the DDH-based secure channel, (iii) linked one credential to more than one identity and (iv) damaged the liveness of blockchain. Scenario (i), (ii) and (iv) in Theorem 2 are the same as Theorem 1. Thus, this part of proof is omitted here. Scenario (iii) violates the unforgeability and the session traceability of fair blind signature scheme, which was proved secure by Abe [1].

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, R., Galindo, D., Wang, Q. (2019). Auditable Credential Anonymity Revocation Based on Privacy-Preserving Smart Contracts. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2019 2019. Lecture Notes in Computer Science(), vol 11737. Springer, Cham. https://doi.org/10.1007/978-3-030-31500-9_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-31500-9_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-31499-6

  • Online ISBN: 978-3-030-31500-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics