An Efficient Self-blindable Attribute-Based Credential Scheme

Abstract

An attribute-based credential scheme allows a user, given a set of attributes, to prove ownership of these attributes to a verifier, voluntarily disclosing some of them while keeping the others secret. A number of such schemes exist, of which some additionally provide unlinkability: that is, when the same attributes were disclosed in two transactions, it is not possible to tell if one and the same or two different credentials were involved. Recently full-fledged implementations of such schemes on smart cards have emerged; however, these need to compromise the security level to achieve reasonable transaction speeds. In this paper we present a new unlinkable attribute-based credential scheme with a full security proof, using a known hardness assumption in the standard model. Defined on elliptic curves, the scheme involves bilinear pairings but only on the verifier’s side, making it very efficient both in terms of speed and size on the user’s side.

A Unforgeability and Unlinkability Games

Unforgeability of a credential scheme is defined using the following game (resembling the signature scheme unforgeability game).

Definition 14

(unforgeability game). The unforgeability game of an attribute-based credential scheme between a challenger and an adversary \(\mathcal {A}\) is defined as follows.  

Setup.:

For a given security parameter \(\ell \), the adversary decides on the number of attributes \(n\ge 1\) that each credential will have, and sends n to the challenger. The challenger then runs the algorithm from the credential scheme and sends the resulting public key to the adversary.

Queries.:

The adversary \(\mathcal {A}\) can make the following queries to the challenger.  

:

The challenger and adversary engage in the protocol, with the adversary acting as the user and the challenger acting as the issuer, over the attributes \((k_{1,j},\dots ,k_{n,j})\). It may choose these adaptively.

:

The challenger creates a credential with the specified attributes \(k_1,\dots ,k_n\), and engages in the protocol with the adversary, acting as the user and taking \(\mathcal {D}\) as disclosure set, while the adversary acts as the verifier.

 

Challenge.:

The challenger, now acting as the verifier, and the adversary, acting as the user, engage in the protocol. The adversary chooses a disclosure set \(\mathcal {D}\), and if it manages to make the verifier accept then it wins if one of the following holds:

 

• If the adversary made no queries then it wins regardless of the disclosure set (even if \(\mathcal {D}=\emptyset \));

• Otherwise \(\mathcal {D}\) must be nonempty, and if \((k_i)_{i\in \mathcal {D}}\) are the disclosed attributes, then there must be no j such that \(k_i = k_{i,j}\) for all \(i \in \mathcal {D}\) (i.e., there is no single credential issued in an query containing all of the disclosed attributes \((k_i)_{i \in \mathcal {D}}\)).

We say that the credential scheme is unforgeable if no probabilistic polynomial-time algorithm can win this game with non-negligible probability in the security parameter \(\ell \).

Next we turn to the unlinkability game.

Definition 15

(unlinkability game). The unlinkability game of an attribute-based credential scheme between a challenger and an adversary \(\mathcal {A}\) is defined as follows.  

Setup.:

For a given security parameter \(\ell \), the adversary decides on the number of attributes \(n\ge 1\) that each credential will have, and sends n to the challenger. The adversary then runs the algorithm from the credential scheme and sends the resulting public key to the challenger.

Queries.:

The adversary \(\mathcal {A}\) can make the following queries to the challenger.  

:

The adversary chooses a set of attributes \((k_{1,j},\dots ,k_{n,j})\), and sends these to the challenger. Then, acting as the issuer, the adversary engages in the protocol with the challenger, issuing a credential j to the challenger having attributes \((k_{1,j},\dots ,k_{n,j})\).

:

The adversary and challenger engage in the showing protocol on credential j, the challenger acting as the user and the adversary as the verifier. Each time the adversary may choose the disclosure set \(\mathcal {D}\).

:

The challenger sends the entire internal state, including the secret key \(k_0\), of credential j to the adversary.

 

Challenge.:

The adversary chooses two uncorrupted credentials \(j_0\), \(j_1\) and a disclosure set \(\mathcal {D}\subset \{1,\dots ,n\}\). These have to be such that the disclosed attributes from credential \(j_0\) coincide with the ones from credential \(j_1\), i.e., \(k_{i,j_0} = k_{i,j_1}\) for each \(i \in \mathcal {D}\). It sends the indices \(j_0\), \(j_1\) and \(\mathcal {D}\) to the challenger, who checks that this holds; if it does not then the adversary loses.

Next, the challenger flips a bit \(b \in _R\{0,1\}\), and acting as the user, it engages in the with the adversary on credential \(j_b\). All attributes whose index is in \(\mathcal {D}\) are disclosed.

Output.:

The adversary outputs a bit \(b'\) and wins if \(b = b'\).

 

We define the advantage of the adversary \(\mathcal {A}\) as \(\textsf {Adv}_\mathcal {A}:= \left| \Pr [b=b']-1/2\right| \). When no probabilistic polynomial-time algorithm can win this game with non-negligible advantage in the security parameter \(\ell \), then we say that the credential scheme is unlinkable.