Abstract
On the one hand, the web needs to be secured from malicious activities such as bots or DoS attacks; on the other hand, such needs ideally should not justify services tracking people’s activities on the web. Anonymous tokens provide a nice tradeoff between allowing an issuer to ensure that a user has been vetted and protecting the users’ privacy. However, in some cases, whether or not a token is issued reveals a lot of information to an adversary about the strategies used to distinguish honest users from bots or attackers.
In this work, we focus on designing an anonymous token protocol between a client and an issuer (also a verifier) that enables the issuer to support its fraud detection mechanisms while preserving users’ privacy. This is done by allowing the issuer to embed a hidden (from the client) metadata bit into the tokens. We first study an existing protocol from CRYPTO 2020 which is an extension of Privacy Pass from PoPETs 2018; that protocol aimed to provide support for a hidden metadata bit, but provided a somewhat restricted security notion. We demonstrate a new attack, showing that this is a weakness of the protocol, not just the definition. In particular, the metadata bit hiding is weak in the setting where the attacker can redeem some tokens and get feedback on whether the bit extraction succeeded.
We then revisit the formalism of anonymous tokens with private metadata bit, consider the more natural notion, and design a scheme which achieves it. In order to design this new secure protocol, we base our construction on algebraic MACs instead of PRFs. Our security definitions capture a realistic threat model where adversaries could, through direct feedback or side channels, learn the embedded bit when the token is redeemed. Finally, we compare our protocol with one of the CRYPTO 2020 protocols. We obtain 20% more efficient performance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We provide a more precise analysis in the full version of this paper [12].
- 2.
[5] addresses this by making non-standard assumptions about the extraction properties of Fiat-Shamir.
- 3.
A protocol with this m option is available in the full version of this paper [12].
- 4.
In the common reference string model, the CRS \(\textsf{cpp}\) comes with a trapdoor \(\textsf{td}\).
- 5.
In their \(\textsf{OMUF}\) security definition, the first condition says that both \(q_0 \le \ell \) AND \(q_1 \le \ell \) where \(q_b\) is the number of oracle queries with bit b. Suppose, the adversary made 10 queries with \(b=0\) (\(q_0 = 10\)) and 1000 queries with \(b=1\) (\(q_1 = 1000\)). If the adversary forges 11 tokens with \(b = 0\), for this to succeed as a forgery, \(\ell \) must be at least 1000. If it is not, this does not succeed.
- 6.
For protocols with no public metadata m, the variables \(n_{b,m}\) in the game shall be changed to \(n_b\) and input m shall be removed from \(\textsf{AT}\) algorithms.
- 7.
\(\textsf{PMBT}\) code is available at https://github.com/mmaker/anonymous-tokens.
- 8.
In this count, we took the computation of \((1-b)C_y\) as free. Furthermore, the computation of \(r_dV\) and \(a_dV\) are done twice but count for a single operation.
- 9.
By setting \(t_S=\textsf{Hash}(U)\), the issuer would not have to send \(t_S\) any longer and save the transmission of one \(\mathbb {Z}_p\) element.
References
Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: Sadeghi, A.-R., Gligor, V.D., Yung, M., editors, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, pp. 1087–1098. ACM (2013)
Benhamouda, F., Lepoint, T., Orrù, M., Raykova, M.: Publicly verifiable anonymous tokens with private metadata bit. Cryptology ePrint Archive, Paper 2022/004 (2022). https://eprint.iacr.org/2022/004
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7
Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_20
Chase, M., Meiklejohn, S., Zaverucha, G.: Algebraic MACs and keyed-verification anonymous credentials. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pp. 1205–1216. Association for Computing Machinery (2014)
Chase, M., Meiklejohn, S., Zaverucha, G.: Algebraic MACs and keyed-verification anonymous credentials (2014). https://eprint.iacr.org/2013/516
Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption, pp. 1445–1459. Association for Computing Machinery (2020)
Chase, M., Perrin, T., Zaverucha, G.: The signal private group system and anonymous credentials supporting efficient verifiable encryption (2020). https://eprint.iacr.org/2019/1416
Chaum, D.: Blind signatures for untraceable payments. In: Advances in Cryptology - CRYPTO. Springer International Publishing (1982)
Damgård, I.: On \(\varSigma \)-protocol (2010)
Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G., Valsorda, F.: Privacy pass: bypassing internet challenges anonymously. In: PoPETs, pp. 164–180 (2018)
Betül Durak, F., Vaudenay, S., Chase, M.: Anonymous tokens with stronger metadata bit hiding from algebraic macs. Cryptology ePrint Archive, Paper 2022/1622 (2022). https://eprint.iacr.org/2022/1622
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Kreuter, B., Lepoint, T., Orrù, M., Raykova, M.: Anonymous tokens with private metadata bit (2020). https://eprint.iacr.org/2020/072
Kreuter, B., Lepoint, T., Orrù, M., Raykova, M.: Anonymous tokens with private metadata bit. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 308–336. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_11
Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1
Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1.1 (Revision 3), December (2013). Released under the Open Specification Promise (http://www.microsoft.com/openspecifications/en/us/programs/osp/default.aspx)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Silde, T., Strand, M.: Anonymous tokens with public metadata and applications to private contact tracing. https://fc22.ifca.ai/preproceedings/40.pdf
Tessaro, S., Zhu, C.: Short pairing-free blind signatures with exponential security. In: Dunkelman, O., Dziembowski, S., editors, Advances in Cryptology - EUROCRYPT 2022, volume 13276 of Lecture Notes in Computer Science, pp. 782–811. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_27
Trust Tokens API. https://developer.chrome.com/docs/privacy-sandbox/trust-tokens/
Acknowledgements
We heartily thank Greg Zaverucha, Michele Orrù, and Nirvan Tyagi for the insightful discussions and fruitful comments on the early version of the paper. We are also very thankful to Kim Laine, Radames Cruz Moreno, and Wei Dai for their valuable time and help with the implementation of the protocols and benchmarks in Rust.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Chase, M., Durak, F.B., Vaudenay, S. (2023). Anonymous Tokens with Stronger Metadata Bit Hiding from Algebraic MACs. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14082. Springer, Cham. https://doi.org/10.1007/978-3-031-38545-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-38545-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38544-5
Online ISBN: 978-3-031-38545-2
eBook Packages: Computer ScienceComputer Science (R0)
