Tracing Attacks on U-Prove with Revocation Mechanism
∗Lucjan Hanzlik, Przemysław Kubiak, Mirosław Kutyłowski
Faculty of Fundamental Problems of Technology, Wrocław University of Technology Wybrze˙ze Wyspia ´nskiego 27, 50-370 Wrocław, Poland
[email protected]
ABSTRACT
Anonymous credential systems have to provide strong privacy pro-tection: a user may prove his (chosen) attributes without leaking neither his identity nor other attributes. In this paper we consider U-Prove – one of the major commercial anonymous credential sys-tems.
We show that the revocation mechanism designed for U-Prove en-ables a system provider to efficiently trace the users’ activities. Namely, the Revocation Authority run the system provider may execute the U-Prove protocol in a malicious way so that: (a) the deviations from the protocol remain undetected, (b) the Revocation Authority becomes aware of each single authentication of a user in the whole system and can link them (regardless which attributes are disclosed by the user against the verifiers), (c) it can link presenta-tion tokens with the corresponding token issuing procedure (under some conditions).
Thereby, the system described in the technical drafts of U-Prove does not guarantee privacy protection unless the system provider can be trusted unconditionally. In fact, a malicious provider may convert the Revocation Authority into a “Big Brother” installation.
Keywords
U-Prove, anonymous credential, revocation, malicious provider
1.
INTRODUCTION
Emergence of a global information IT ecosystem creates today se-vere privacy protection challenges. The ecosystem is composed of a large number of systems run by different players that are inde-pendent, have different goals, operate within different legal frame-works and sometimes are even prohibited by law to orchestrate their activities. Moreover, from the technical point of view, the scale and limited control over the information flow make it almost infeasible to protect a user against misuse of personal data.
∗This is a full version of the paper accepted for presentation at ACM AsiaCCS’15.
It seems that the most effective approach to reduce the scale of pri-vacy protection problems is to reduce the amount of personal data that are revealed during interactions with IT systems. The basic paradigm is that only the data necessary to perform a given ac-tion are revealed during the interacac-tion. The tradiac-tional approach is completely different: at the very beginning we have to show de-tails about our identity. Changing this situation is a challenge from cryptographic point of view: we have to develop a simple and user friendly scheme that guarantees reliable authentication of user’s ac-cess rights without disclosing his identity. On the other hand, such solution would fulfill the dream ofprivacy-by-design– which is a political target of European Union in the area of personal data protection.
Many cryptographic schemes have been developed for this pur-pose, usually called the same nameanonymous credentialsdespite substantial functional differences. Most of them have not reached practical maturity stage and have not been implemented. The re-markable exceptions areIdemix of IBM Zürich [1], U-Proveof Microsoft Research [4] and a simplified but efficient scheme im-plemented on German personal identity cards under the name Re-stricted Identification.
Anonymous credentials.
Anonymous credential system is a cryptographic framework in which a person receives an authentica-tion token from a trust provider for the system. The token confirms a set ofattributesof the owner, e.g. legal status, age, the rights to access a certain IT system, privileges, etc., but also the name, personal identity number, and so on. A holder of such a token, say Alice, can use it for authentication. IfAis the set of attributes of Alice confirmed by the token,A0is an arbitrary subset ofA, then she can execute an authentication protocol with Bob so that:• she proves Bob that she holds an authentication token with all attributes fromA0,
• however, Bob cannot conclude anything about the attributes not contained inA0, in particular inA\A0.
Note that “the attributes not contained inA0” may include identity data such as the first name, the family name, and the personal ID number. The attributes revealed may include a pseudonym of the prover.
A good example of an attribute is the legal age enabling to engage into civil contracts.
Thereby, anonymous credentials can be used to reduce the informa-tion flow during authenticainforma-tion to the necessary minimum. So, we may hope that anonymous credentials may become a standard au-thentication method in privacy aware systems fulfilling the “privacy-by-design” requirement.
There are many models of anonymous credentials and subtle dif-ferences between them. For instance, it is an open issue whether the verifier should be able to check whether the same (anonymous) person authenticates herself, when the set of attributes is exactly the same. Both possibility of linking (weak privacy) and infeasibility of linking (strong privacy) correspond to some concrete use cases.
U-Prove.
The topic of this paper is an extension of U-Prove anony-mous credentials system [4] developed by Microsoft. U-Prove is based on the quite complex ideas of Stefan Brands [5,6], which evolved into the current anonymous credential system.On the upside, U-Prove is very flexible and quite advanced regard-ing privacy protection. On the downside, its design is fairly com-plex. This is a major disadvantage not because of the implemen-tation pains and hardness to explain the security mechanisms even to specialists, but mainly due to hardware requirements far above the possibilities of cryptographic smart cards. U-Prove is based on hardness of Discrete Logarithm Problem and that by design, U-Prove enables commitments which can be used to extend the spec-ification. An interested reader may refer to the web page [7] for details of the U-Prove scheme and implementation details. In the meantime, U-Prove became declared as“fully compatible with ABC4Trust engine”(ABC4TRUST [12] is a EU funded project that aims to provide a unified framework for privacy protection). A large number of system details has been published [7] enabling external designers to integrate their products with U-Prove. There-fore, U-Prove has to be regarded as a system that has a real chance to play an important role in practice on a global scale, despite of lack of thorough academic evaluation.
Revocation.
It may happen that the attributes terminate to be valid for a holder of an authentication token. For instance, the token may be stolen. Then privacy protection offered by the system has a negative side effect – it hides identity of a misbehaving person very effectively. So the advanced technology starts to be dangerous to honest users, as there are more incentives to steal the tokens. These problems has been also recognized by the designers of U-Prove – see a recent report [2]. The core U-U-Prove system is not equipped with a revocation system – the necessary functionality must be added to it as an extension.During Financial Cryptography’2013 the first revocation system for U-Prove has been presented [8]. It contained a security flaw [11], but the error seems to be correctable. The major drawback of the revocation system from [8] is heavy use of bilinear pairings. According to [2],“Although pairings are popular in recent cryp-tographic research, they are seldom used in practice due to their maturity level and implementation complexity.” Definitely, cur-rently the consumer’s hardware devices are not supporting pairings (may be with some small scale exceptions).
Following [8], the Microsoft team proposed a modified revocation system which is not based on pairings and can be implemented in standard groups [9] (see [10] for a slightly updated version).
Our contribution.
We investigate the U-Prove revocation ex-tension [9,10] from the point of view of user’s privacy. We show that within the current framework it is impossible to hide the re-vocation attributes of the users (which are effectively the user’s pseudonyms) against the Revocation Authority. Namely, the Re-vocation Authority may learn about each single authentication per-formed with the user’s pseudonym. For this purpose the Revocation Authority must deviate from the original protocol, but it cannot be detected by the users and the verifiers.Although each security flaw presented in the paper can be fixed by re-designing the scheme and introducing new (computationally heavy) protocol components, it is not clear whether the extensions do not bring new threats and attack possibilities.
2.
U-PROVE REVOCATION SYSTEM
In this section we describe shortly the construction from [10]. We do not present the construction idea – in fact, it has not been ex-plained by the authors of [9, 10] and we could only make some guesses. Also, given the page limit and complexity of the design it is impossible to give a reasonable overview of the background U-Prove system. However, this is not really necessary for describ-ing the attacks against user’s privacy. Let us note that the same problems occur for the first draft version [9].
2.1
Parameters
The extension from [10] uses the same Issuer parameters as in the standard U-Prove specification. However, the scheme employs the Revocation Authority (RA) initialized in the following way:
Input:
group: a groupGqof a prime orderq
generators ofGqfrom U-Prove [7]: g,g1,gt
Computation:
choose at random δ∈Zq
compute K:=gδ
Output:
private key: δ
public key: K
Table 1: Setup procedureRSSetup()for the Revocation Au-thority
A user gets a token just as in case of the original U-Prove. Addi-tionally, it contains a revocation attributexidfor the user. Its usage will be explained below.
2.2
Revocation List Management
Input:
RA private key: δ∈Zq
revocation parameter: gt
List of revoked
attribute values: R={x1, . . . , xm} ∈Zq\{−δ}
Computation:
Accumulator value: V :=g
Qm i=1(δ+xi) t
Table 2: ProcedureComputeAccumulator() for creating
accumulatorV for the listRof revocation attributes
2.3
Computing a Witness
Apart from the accumulator, there are parameters specific to each user. These parameters must be updated every time when some user gets revoked or admitted again to the system. There are two meth-ods described in [10]:ComputeWitnessandUpdateWitness. The major drawback of the second solution is low efficiency and necessity to disclose all revocation attributes of the revoked users. According to [10],“If the revocation list is secret, or for better ef-ficiency, the witnesses are computed by the Revocation Authority”
– withComputeWitness.
The Revocation Authority runsComputeWitnessas follows:
Input:
RA private key: δ∈Zq
Revocation parameter: gt
List of revoked attribute values:
R={x1, . . . , xm} ∈Zq\ {−δ}
Target user’s revocation at-tribute:
xid6∈R
Current accumulator: V ∈Gq
Computation: d:=Q
x∈R(x−xid) modq
W:=g(
Q
x∈R(δ+x)−d)/(δ+xid) t
Q:=V W−xidg−d t
Output:
Revocation witness for
xid:
(d, W, Q)
Table 3: ProcedureComputeWitness()
The following property can be easily checked:
Wδ=Q . (1)
UpdateWitnessprocedure can be executed by the users given all revocation identities that have been included in the accumulator since the last update:
Input:
Revocation parameter: gt∈Gq
The revocation attribute of the user: xid
Revocation attribute to be added
or removed from the blacklistR: x0
Boolean value indicating whether
x0has to be added toR:
add
Old accumulator: V ∈Gq
Old witness of the user holdingxid: (d, W, Q)
Updated accumulator: V0∈G
q
Computation:
ifadd=true (x0added toR)
d0:=d(x0−xid) modq
W0:=V Wx0−xid
Q0:=V0W0−xidg−d 0 t
else (x0removed fromR)
d0:=d(x0−x
id)−1modq
W0:= ((V0)−1W)(x0−xid)−1
Q0:=V0W0−xidg−d 0 t
Output:
Updated witness forxid: (d0, W0, Q0)
Table 4: ProcedureUpdateWitness( )
2.4
Non-Revocation Proof
A user holding a U-Prove token authenticates himself by executing the regular U-Prove protocol. During this protocol he commits to the attributexid (the public output of the commitment isc˜id =
gxidg˜oid
1 and the private opening information of this commitment is(xid,o˜id)). Additionally, he creates a non-revocation proof using the functionGenerateNonRevocationProof:
Input:
Revocation parameters: Gq, hash functionH,g,g1,gt
Commitment toxid: ˜cid, where˜cid=gxidg ˜ oid 1
Opening information: xid,o˜id
RA public key: K
Revocation witness: (d, W, Q)
Computation:
generatet1, t2, k1, . . . , k6at random fromZq
X:=W gt1
Y :=QKt1
Cd:=gdtg t2
1
w:=d−1modq
z:=t1o˜id−t2modq
z0:=−t
2wmodq
T1:=Xk1(˜cidK)−k2g1k3
T2:=gk1gk14
T3:=Cdk5g1k6
c0:=H(g, g
1, gt, K,˜cid, X, Y, Cd, T1, T2, T3)
s1:=−c0xid+k1modq
s2:=−c0t1+k2modq
s3:=−c0z+k3modq
s4:=−c0˜oid+k4modq
s5:=−c0w+k5modq
s6:=−c0z0+k6modq
deletet1, t2, k1, ..., k6, w, z, z0, T1, T2, T3
Output:
non-revocation proof forxid: c0, s1, . . . , s6, X, Y, Cd
Table 5: ProcedureGenerateNonRevocationProof()
The non-revocation proof is given to the Verifier. [9] states that
Input:
Revocation parameters: Gq,H,g,g1,gt
Commitment toxid: c˜id
Non-revocation proof: c0, s1, . . . , s6, X, Y, Cd
Revocation Authority public key: K
Revocation Authority private key: δ
Revocation accumulator: V Computation:
T1:= (V Y−1(Cd)−1)c 0
Xs1(˜c
idK)−s2g1s3
T2:= ˜cc 0 idgs1g
s4
1
T3:=gc 0
t (Cd)s5gs16
verify thatc0=H(g, g1, gt, K,˜cid, X, Y, Cd, T1, T2, T3)
verify thatY =Xδ
Table 6: ProcedureVerifyNonRevocationProof()
3.
BREAKING SECRECY OF REVOCATION
LIST
According to Sect. 2.3 of [9,10], the revocation attributes of the revoked users can be kept secret, if the revocation witnesses are computed and delivered to the users by the Revocation Authority. For some reason the authors of the extension believe that this might be a useful functionality. One of them could be that disclosing the number of revoked users might be a valuable business information. Nevertheless, in this section we show the following result which shows that the attempts to hide the revocation listrare futile:
THEOREM 1. Assume that the protocol from [9, 10] is imple-mented as it is stated in the specification. Then even if the Re-vocation Authority delivers the reRe-vocation witnesses to the users, an adversary can retrieve all revocation attributes of the revoked users.
The point is that the documents [9,10] do not provide any mecha-nism designed for preserving secrecy of the revocation listR. We show that the revocation attributes belonging toRcannot be kept secret in a straightforward manner (i.e., by not publishing them), and some additional mechanism is necessary if their secrecy is an objective. Let us note that this section as a warm-up before the main results of Sect.4, where fundamental privacy threats are shown. However, as it will become clear at the end of Sect.4, hiding the revocation list is somehow related to hiding malicious setup of the Revocation Authority.
3.1
Reconstruction of the Revocation List
We concern a late launch attack, where the adversary decides to recover the identities of all users revoked so far, but has no data concerning all previous updates performed by the Revocation Au-thority. (This situation occurs when the adversary joins the system relatively late.) We show that nevertheless an adversary can recover identities of all users revoked assuming that sufficiently many of the users collaborate with the adversary.
Let us assume that at the moment considered the total number of re-voked users iskand the setUof users colluding with the adversary has cardinality at leastk+ 1. Letx1, . . . , xk+1be the revocation attributes of these users. Then we claim that the adversary can re-construct the following polynomial:
f(X) = (X+xi1)·(X+xi2)· · · · ·(X+xik), (2) wherexi1, ..., xikare the revocation attributes of all revoked users. Since factorization inZq[X]is easy, oncefis found, then the val-ues ofxij can be easily reconstructed.
First observe that according toComputeWitnessprocedure, the user holdingxi obtains a revocation witness that containsdi =
f(−xi). Hence, in order to reconstruct the polynomial f it suf-fices to run the Lagrangian interpolation algorithm on the pairs
(−x1, d1), . . . ,(−xk+1, dk+1).1
3.2
Attacking update’s data
The Revocation Authority may defend itself against the above men-tioned attack by keeping a large number of dummy users in the set
Rof revoked users. In this casek= degfbecomes large and the adversary is unable to findk+ 1users to immediately gatherk+ 1
pairs(xi, di)satisfyingf(−xi) =di. In this case the adversary may execute the following attack aiming to recover the revocation attributes of the users that are either revoked or admitted again dur-ing the current update.
Assume that a user holdingxiand a witness(di,−,−) correspond-ing to the set of revoked usersRobtains a new witnessd0i. Then:
d0i di =
PA(xi)
QB(xi), where
PA(X) =Qx0∈A(x0−X), QB(X) =Qx0∈B(x0−X) andAdenotes the set of revocation attributes that have been added toRsince the last update of users’ witnesses, whereasBdenotes the set of revocation attributes that have been removed fromRsince this moment. SinceAandBare disjoint,gcd(PA(X), QB(X)) =
1. That is, the user gets a valuefi=d0i/diof some rational func-tion at pointxi:
PA(xi)
QB(xi) =fi, (3) wheredegPA(X) =|A| ≥0,degQB(X) =|B| ≥0.
LetUbe the set of users controlled by the adversary aiming to get the revocation attributes of the revoked users. When the update is done by the Revocation Authority, each user gets a new revocation witness. So the adversary can derive the pair(xi, fi)for eachxi∈ U. The adversary shall use these pairs to interpolate the rational function
PA(X) QB(X) =
p0+p1X+···+pmXm
q0+q1X+···+qnXn , (4) wherem = |A|andn = |B|. The adversary aims to calculate bothPA(X)andQB(X). Once it is done, it is easy to factorize
PA(X)andQB(X)in the polynomial ring and learn the revocation attributes of the users revoked and admitted back to the system. Letk=|U |. Assume thatmandnhave been guessed correctly. By (3) and (4), we can build the following system of linear equations
p0+p1x1+...+pmxm1 −f1q0−f1q1x1−...−f1qnxn1 = 0
p0+p1x2+...+pmxm2 −f2q0−f2q1x2−...−f2qnxn2 = 0
. . .
p0+p1xk+...+pmxmk −fkq0−fkq1xk−...−fkqnxnk = 0
(5)
with unknownsp0, p1, . . . , pm,q0, q1, . . . , qn. The system (5) can be rewritten as
Mk,m+n+2·Um+n+2=θk, whereθkis the vector ofkzeroes,
Um+n+2= [p0, p1, p2, . . . , pm, q0, q1, q2, . . . , qn]T
1
is the vector ofm+n+ 2unknowns, andMk,m+n+2is ak×(m+
n+ 2)matrix of known coefficients fromZq:
1 x1 x21 . . . xm1 −f1 −f1x1 −f1x21 . . . −f1xn1
1 x2 x22 . . . x m
2 −f2 −f2x2 −f2x22 . . . −f2xn2 ..
. ... ... ... ... ... ... ...
1 xk x2k . . . xmk −fk −fkxk −fkx2k . . . −fkxnk
Since the system (5) is homogeneous we treat the set of solutions of the formα·Um+n+2, whereα∈Zq\ {0}, as a single solution
Um+n+2.
Note thatMk,m+n+2 = [Vk,m+1 Fk,k·Vk,n+1],whereFk,k =
diag(−f1,−f2, ...,−fk)is the diagonal matrix of sizek×k, and
Vk,`+1=
1 x1 x21 . . . x`1
1 x2 x22 . . . x`2 ..
. ... ... ...
1 xk x2k . . . x`k
is the Vandermonde matrix of sizek×(`+ 1).
Obviously, rank(Mk,m+n+2)≤m+n+ 2. Hence, even ifk >
m+n+ 2, it is sufficient to use the firstm+n+ 2rows of the matrix because the next ones give no additional information. If after reducing the matrix to the row echelon form it happens that rank(Mm+n+2,m+n+2) =m+n+ 2, then the only solution for
Um+n+2is the all zero vectorθm+n+2, which means that our guess formandnwas incorrect. If after reducing the matrix to the row echelon form it turns out that rank(Mm+n+2,m+n+2)< m+n+2, then we may neglect a row which turns out to be linearly dependent from the other rows and we use the following theorem:
THEOREM2 (THM4.3.4FROM[13]).
LetMm+n+1,m+n+2= [Vm+n+1,m+1 Fm+n+1,m+n+1·Vm+n+1,n+1]be
a real- or a complex-valued matrix of rankm+n+ 1−t. Then there exists a unique non-zero solutionUm+n+2corresponding to
polynomialsPA∗(X),Q
∗
B(X)with degrees at mostm−tandn−t.
Moreover, all solutions have the form
r(X) = S(X)PA∗(X)
S(X)Q∗B(X), (6)
whereS(X)is a polynomial of degree at mostt.
Although Theorem2considers matrices with coefficients from fields of characteristic 0 (which means that by adding 1 we shall never obtain 0), in large prime fieldsFq the event that some matrix co-efficient will “accidentally” vanish during calculation of the rank seems to be highly improbable. On the other hand, ifqis relatively small, then to minimize the risk of an “accidental underestimation” of the rank one could use matrices with the number of rows greater thanm+n+ 2. Consequently, we have the following procedure for finding the polynomialsPA(X),QB(X):
1. We make a guess form0, n0being the realistic upper bounds for the polynomials degreesmandn, respectively.
2. We generate the matrixMm0+n0+2,m0+n0+2and reduce it to the row echelon form to calculate its rank (if the rank will be appropriate the row echelon form will facilitate the final computations).
3. If rank(Mm0+n0+2,m0+n0+2) = m0+n0+ 2, then we in-crease both valuesm0, n0and go to the point2(alternatively, if for the current valuesm0, n0we havem0+n0+ 2 =|U |, we may increase one of the valuesm0, n0at the cost of the other one).
4. If rank(Mm0+n0+2,m0+n0+2) =m0+n0+ 1−tandt >
0, then we assignm0 :=m0−t,n0 := n0−tand go to the point2. Sincegcd(PA(X), QB(X)) = 1we have in equation (6) thatS(X)≡1.
5. At this point we have rank(Mm0+n0+2,m0+n0+2) = m0+
n0+1. We start to determine the vectorUm0+n0+2by assign-ing 1 to the coordinate which corresponds to the first column of the matrix (counting from the left) that contains a zero on the main diagonal. In this way value one is assigned to the only independent coordinate of vectorUm0+n0+2. Then on the basis of the row echelon form we determine the remain-ingm0+n0+ 1coordinates. From the form of the matrix and from the fact that the system (5) is homogeneous it fol-lows that the only independent coordinate ofUm0+n0+2 cor-responds to the leading coefficient of the polynomialQB(X) (recall thatn≤n0). In this way we obtain the monic poly-nomialsPA(X),QB(X).
Note that the attack described above may sometimes help to re-construct the polynomialfeven if initially its degree is too large. Recall that the revoked users could be admitted back to the system. So it may happen that at some moment the set of users that were revoked at the initial stage of the attack and are still in the revoked set is reduced below the number of users cooperating with the ad-versary. So, if this happens and if the adversary keeps track on the changes in the set of revoked users, then he can reconstruct the set of the revoked users at each moment.
Experimental results.
In order to check relevance of our method (recall that Theorem2concerns the fields of characteristic 0), we have implemented the procedure described above using the NTL library [14]. 1000 experiments has been performed for a256-bit primeq. We have not encountered a matrixMm0+n0+2,m0+n0+2 with rank(Mm0+n0+2,m0+n0+2) ≤m0+n0+ 1, whenm0 < m orn0< n(note that this would lead to false results concerning the polynomialsPA(X),QB(X)). Moreover, for any given experi-ment the point4of the procedure has always been executed at most once witht >0. That is, whent >0had been encountered, then after the assignmentm0:=m0−t,n0:=n0−tat least one of the equalitiesm0=m,n0=nwas satisfied.4.
TRACING USERS’ ACTIVITIES
In this section we show that after some manipulations on the side of the Revocation Authority the U-Prove system with revocations becomes a perfect “Big Brother” tool for spying the users via non-revocation proofs.This is the main result of this paper.
The schemes proposed in [9, 10] are aimed to be suitable for a groupGq being a “standard construction”, which means that the group Gq (see Table 1) need not to be pairing-friendly. Conse-quently, to verify the equalityY =Xδin the procedure from Ta-ble6the private keyδis needed.
1. “The Revocation Authority is a [. . . ] party that manages the revocation list and validates the users’ non-revocation proofs”.
2. WithinGenerateNonRevocationProof( )the elements
W andQappear inX andY respectively in powers known to the Revocation Authority (simply in powers equal to one). The initial attacks are less demanding computationally. However, the latter attacks seem to be more general: they remain undetectable even if witnesses are updated by the users from the very beginning of the revocation system work, that is, even if the complete list of the revoked revocation attributes is public. The attacks are de-scribed below for [10], however they work for [9] after only minor changes.
4.1
Updates Done by Revocation Authority
In this section we assume that the Revocation Authority periodi-cally provides updated revocation witnesses to the users computed withComputeWitness. According to Sect. 2.3 of [10],“If the revocation list is secret, or for better efficiency, the witnesses are computed by the Revocation Authority . . . ”. Hence, the situation described is one of the scenarios proposed.
The idea is to provide corrupted revocation witnesses. They lead to failure of the equalityXδ=Y, but at the same time the Revocation Authority will be able to verify thatXandY has been created ac-cording to theGenerateaNonRevocationProofprocedure. Moreover, the Revocation Authority will be able to identify the re-vocation attribute of the user that has createdXandY. Therefore, the Revocation Authority will be able to create the correct answer to for theVerifyNonRevocationProof()procedure despite the manipulations.
The user is given a witness(d, W, Q)that deviates from the proto-col. Namely:
correct execution corrupted execution
1. W W(according to the specification) 2. d d := d+ ∆where∆chosen at
random anddis computed accord-ing to the specification
3. Q Q:=V ·W−xid·gt−d
4. output(d, W, Q) output witness(d, W, Q)
Potentially, manipulation ofdmight lead to a situation that the ver-ification of the non-revocation proof would fail already in the part that can be executed by the user or by a verifier different from the Revocation Authority. Note thatVerifyNonRevocationProof() can be executed by anybody except for the testY =? Xδ
. The first test yields the positive result if the arguments for the hash function Hare the same as whenc0has been computed. So we require that computingT1,T2andT3duringGenerateNonRevocationProof() andVerifyNonRevocationProof()yield the same results. It may be checked that this is the case even if the valuedis manip-ulated as described above (for details see the Appendix, Sect.A). Note that
Q Q =
V ·W−xid·g−d t
V ·W−xid·g−d−∆ t
=g∆t .
Now consider verification of the valuesX, Y given for inspection to the Revocation Authority and created from a corrupted witness
(d, W, Q)given to a user. The Revocation Authority gets the values
X =W·gt1andY =Q·Kt1. Observe that
Xδ=Wδ·gt1·δ=Wδ·Kt1=Q·Kt1=Y
where the valueY corresponds to the honest protocol execution. On the other hand, the Revocation Authority getsY =Q·Kt1. So
Xδ Y =
Q·Kt1 Q·Kt1 =
Q Q =g
∆ t .
So a malicious Revocation Authority acts, for instance, as follows:
• for a user holdingxidcreate a corrupted witness and store the pair(g∆t , xid)in the local databaseT,
• during verification of the conditionXδ =Y forX andY
submitted by a verifier check the valueZ :=Xδ/Y against the entries in the database. If there is a pair(Z, xid), then the Revocation Authority respondscorrect, otherwise the Revocation Authority answersfalse.
In the first case the Revocation Authority learns that the user withxidauthenticates himself against the verifier that has submitted the query.
As we see, the malicious Revocation Authority can create the full history of all activities of all users. Moreover, the verifier MUST ask the Revocation Authority to verify the equationXδ =Y. In-deed, if the conditionXδ = Y
would not be verified, then a re-voked user could present a valid non-revocation proof. Namely, in-stead of using the witness(d, W, Q)obtained from the Revocation Authority, the user may create himself a fake witness(d, W , Q), whered, W are chosen at random andQ=V ·W−xid·g−d
t . Note that secrecy of the revocation listRis essential for hiding the attack. Otherwise on the basis of formula (2), a user holdingxid could reconstruct the polynomialfand check whetherf(−xid) =
d. Accordingly, the Revocation Authority should insist that hiding revocation attributes of the revoked users is necessary for privacy protection and should deploy techniques such using large number of dummy users to defer the attacks presented in Sect.3.
4.2
Switching to the Public Mode
Now we investigate the scenario that at some moment the system is switched from the mode “Update of Witnesses done by the Revoca-tion Authority” to the mode where the witnesses are recomputed by the users themselves according to the procedureUpdateWitness. However, we still assume that the complete setRof revoked users will not be published. We also assume that when a user joins the system the first revocation witness(d, W, Q)is given to the user by the Revocation Authority. This is a pragmatic assumption in-creasing system’s usability and it results from the fact that without knowing the whole setRthe users cannot compute initial witnesses by themselves.
The initial revocation witness(d0, W0, Q0)given to the user hold-ingxidis created as follows:
Input:
RA private key: δ∈Zq
Revocation parameter: gt
List of revoked attribute values: R
New user’s revocation attribute: xid6∈R
Current accumulator: V
Auxiliary database: T
Computation:
1. computedandWviaComputeWitnessforRandxid
2. chooseuat random 3. d:=d+umodq
4. Q:=V W−xidg−d t
Output:
insert(gu
t, xid)in the databaseT
give(d, W, Q)to the user holdingxid
Table 7: Creating a corrupted initial witness
The databaseT stores information necessary to link the verification requests with the users. Note that ifQis the non-corrupted value, thenQ=V W−xidg−d
t . HenceQ·g
−u t =Q. For the corrupted witness(d, W, Q)note that:
• the verification test concerningc0succeeds (note that this test can be done by any verifier),
• the Revocation Authority gets the valuesX,Y for which the regular verification by the Revocation Authority fails in the following way:
Xδ=Wδgt1δ=QKt1=Qgu
tK
t1 =Y gu
t 6=Y However, the Revocation Authority may search for an entry
(Z, xid)such thatXδ·Y−1 =Z. If there is such an entry, then the answer to the verification query iscorrectand as a side effect the Revocation Authority learnsxid. Otherwise, the answer isfalse.
Now let us consider the situation after the user holdingxidupdates the revocation witness because of revocation ofx0.
• According toUpdateWitness, the new value of the pa-rameterd, called belowd1, equals
d1 =d(x0−xid) = (d+u)(x
0
−xid) =d1+u(x0−xid), whered1 =d(x0−xid)is the correct value that would be obtained for the correct initial witness.
• The value of W will be updated to the correct value W1, since no manipulated value is applied for the update. • The new value ofQequals
Q1 = V W−xidg
−d1
t =V W
−xid
g−d1−u(x0−xid) t
= Q1g
−u(x0−xid)
t .
whereQ1is the value ofQcomputed for the correctd1.
Now, if the verifier presents a pair(X, Y)created by the user hold-ingxid, then
Xδ=W1δg t1δ=Q
1Kt1=Q1gu(x 0−x
id)
t K
t1 =Y gu(x0−xid)
t .
So we see that if each entry(Z, xid)of the databaseT is converted by the assignmentZ :=Zx0−xid, then the same procedure as be-fore can be used to answer the queries to the revocation authorities stated by the verifiers.
One can easily show that after revoking x01, . . . , x0k and adding
x001, . . . , x00mthe original entry(Z, xid)of databaseTbecomes con-verted to(Z0, xid), where
Z0=Z(x01−xid)·...·(x0k−xid)·(x001−xid)−1·...·(x00m−xid)−1 and the same procedure as above for answering the queries to the Revocation Authority can be applied.
4.3
Tracing Independent of Updating Entity
The attack below remains undetected even if the complete listR
of revoked revocation attributes is public. This is achieved by not manipulating the parameters used for witnesses computations.
4.3.1
Preliminary Observations
Let us note that the output of the RASetup( )procedure does not include a proof of equality of the discrete logarithms within the pairs:(gt, gδt),(g, K), where the 1st element in the pair denotes the base element and the 2nd element denotes the exponentiation result. Accordingly, the Revocation Authority may choose the valuesδ
andloggKto be different moduloq. LetK=g ˜ δ
. One can easily see that VerifyNonRevocationProof( )does not enforce equality of discrete logarithms for(gt, gtδ)and(g, K). This fact will be exploited in our attack.
4.3.2
The Attack
We assume that the Revocation Authority knows all the valuesxid (hence it is able to compute witnesses of all users). TheRSSetup procedure is executed in a slightly different way. Namely, the Revocation Authority choosesδ˜ 6= δmodq at random and sets
K := g˜δ
instead ofK := gδ
. Note that due to the hardness of the Decisional Diffie-Hellman Problem it is infeasible to detect this manipulation.
DuringVerifyNonRevocationProof( )the Revocation Au-thority, instead of checking equalityY =Xδexecutes the follow-ing steps:
1. fW :=Y ·X
−δ˜ .
Note thatX andY were calculated correctly by the prover, then we getWf=Q·W
−δ˜ .
2. cW :=Wfη, whereη= (δ−˜δ)−1modq.
Note that bothδandδ˜are known to the Revocation Authority. If the witness was correctly computed by the user, then, by (1), the Revocation Authority gets
c
W =Wδ−˜δ
(δ−δ˜)−1modq
=W.
the listRof revoked users changes. The Revocation Authority may create the database containing the current value ofWfor eachxid. The computation can be easily performed by a SIMD architecture (e.g. a farm of GPU processors).
4.3.3
Removing
Yfrom the Non-Revocation Proof
One could attempt to defend against the attack by removingY from the data passed to the Revocation Authority. Instead, the Authority may calculate a candidateYW forY used by the prover by settingYW =Xδand checking it againstc0:
c0=? H(g, g1, gt, K,c˜id, X, Y, Cd, T1, T2, T3) (7) However, for eachWthe Revocation Authority must compute the candidate value
YW :=Wδ
−˜δ
X˜δ.
Note that for the correctW YW =Wδ−
˜ δ
· W gt1˜δ
=Wδ·g˜δ
t1
=QKt1=Y
and for suchYW equality (7) holds. Otherwise, it may hold only via a collision of the hash functionH.
4.4
Tracing when
g
δ=
K
To prevent the attack from Subsect.4.3one could propose a patch for the system by demanding a proof of equality of discrete log-arithms when publishing the public parameters of the Revocation Authority. Below we show that it is not enough, however the attack gets more involved.
During the corruptedRSSetupprocedureα1, α2 are chosen at random so thatα26=α1modq. Then
δ:= (α1+α2)·2
−1
modq . (8) If the orderqofgis a large prime number, then2−1modqexists. On the other hand, ifgcd(2, q) > 1, then it is easy to generalize the reasoning below to the representationδ = (α1+· · ·+α`)·
`−1modqfor some`coprime toq(in this case the definition of
Λi given below would change toΛi := g (αi
1+···+αi`)·` −1modq
t ).
We shall use the following notation:
Λi:=g (αi
1+αi2)·2−1modq
t and ∆i:=gδ i
t (9)
fori= 0,1,2, . . .. Note thatΛ0= ∆0=gtandΛ1= ∆1. Note that in order to get the accumulatorV one can first compute the exponent Qmi=1(δ+xi) and then raise gt to the computed power. An alternative when is to get first the numbers∆i, then computeQmi=1(δ+xi)as a polynomial ofδ, i.e.Qmi=1(δ+xi) = Pm
i=0ai·δ i
, and finally putV :=Qmi=0(∆i)ai. Below we assume that instead of using the vector
t= (∆0,∆1,∆2, . . . ,∆m) (10) the Revocation Authority will use the vector
t0= (Λ0,Λ1,Λ2, . . . ,Λm) (11) to calculate the value of the accumulator V. Hence the attack below exploits the fact that the protocol from [10] does not in-clude any proof of equality of discrete logarithms between the pairs
(∆0,∆1),(∆i,∆i+1)fori= 1,2, . . ., where the first element in the pair denotes the base of the logarithm, and the second element denotes the exponentiation result.
4.4.1
Preliminary Observations.
Recall that according to [10] users’ witnesses are computed by ComputeWitness( )or UpdateWitness( ). As we shall see, the first method may be extended to a more direct method of computingW andQ, a method that may be run by (a set of) users. Hence if the second method is available to the users, then both methods should be coherent, i.e. the results obtained by the direct method and byUpdateWitness( )should be the same.
Updating Witnesses by the Revocation Authority.
Sup-pose that a group of users has reconstructed the polynomialffrom (2) as described in Sect.3.1. Thenk−1users will be able to find the powersgYk−1t , g Yk−2
t , . . . , g Y1
t that are used by the Authority to generate the values of the witnesses. Namely, consider the fol-lowing procedure:
1. A colluding user holding own parameters xid, did and the global parameterf(X)finds the polynomial
gid(X) = (f(X)−did)/(X+xid) = 0 X
j=k−1
µid,jXj (12)
So the user learns all the coefficientsµid,jin the equation
g
P0
j=k−1µid,jYj
t =Wid, (13)
where for eachj=k−1, k−2, . . . ,1the unknownYj pre-sumably satisfies the conditionYj=δj. We must emphasize that the colluding users assume that in (13) the valuesWid are indeed calculated according to the protocol. However,
gYj
t will successfully be determined even ifYj 6=δjfor at least some of thej= 0,1, . . ..
2. The colluding users gather allk−1equations together and for the system of equations
g
Pk−1
j=1µid1,jYj
t = Wid1·g
−µid1,0
t
g
Pk−1
j=1µid2,jYj
t = Wid2·g
−µid2,0
t
. . .
g
Pk−1
j=1µidk−1,jYj
t = Widk−1·g
−µidk−1,0
t
(14)
perform Gaussian elimination in the exponents. That is, stead of scalar multiplications they have exponentiations, in-stead of subtractions they have divisions in the group gener-ated bygt. Sincexidare assumed to be random and indepen-dent, they count for the corresponding matrix (i.e., the matrix
[µidi,j], fori, j∈ {1, . . . , k−1}) to be invertible.
2Thereby the colluding users should obtain the set of solutionsgYj
t , for
j=k−1, . . . ,1.
Of course, if the set of revoked users increases over time to some valuek0(k0> k), then to find the newly usedgYk0 −1
t ,g Yk0 −2 t , . . . ,
gYk t onlyk
0
−kcolluding users are needed. The same follows for the accumulatorV: ifgYk−1
t ,g Yk−2
t , . . . ,g Y1
t are found andV =
Qid·W xid id ·g
did
t is calculated by each user with the corresponding
xidand corresponding witness(did, Wid, Qid), theng Yk t is easily calculated by any colluding user fromV,gYk−1
t ,g Yk−2
t , . . . ,g Y1
t .
2It may happen that the matrix in not invertible, but via a number
Assume thatfis the polynomial (2) from a revocation round, and
degf≤k. Then knowingfand the powersgYj
t , forj=k, . . . ,1, each colluding user can calculate the accumulator value and the witness corresponding to thatfandxid. Indeed, the user computes
did:=f(−xid) (15) and the quotient polynomial (12). Finally, he directly computes:
Wid := Q0j=k−1
gYj t
µid,j
,
Qid := Q0j=k−1
gYj+1
t
µid,j
(16)
forµid,jsuch thatgid(X) =P0j=k−1µid,jXj. Note that in these computationsQidcorresponds toWidshifted by one step to the “higher” powersgYj+1
t reflecting the (presumed, but in case of the attack not satisfied) relationQid=Widδ.
Witnesses Updated by the Users.
A similar method can be applied in this case. Moreover, if the initial set of revoked users is empty, then all the necessary data for building the direct method are available to each single user (the user may create virtual identitiesxidto compute their witnesses and thus to gather the data for the system (14)). Once the direct method of computingWidandQidis obtained, it can be used interchangeably withUpdateWitness( ).
4.4.2
Coherence of Witness Computation Methods
Some users may sometimes prefer to use the direct method of com-putingWid,Qidover theUpdateWitness( )procedure. Con-sider the exemplary scenarios:• the degree of polynomialf(X)does not change much but there are many fluctuations onR(some users are revoked but some are admitted back to the system), and a user updating the witness makes the update only occasionally (i.e., only when needed),
• a new client application that include theUpdateWitness( ) procedure undergoes tests and some independent method for computing the witnesses is needed.
Let us take a closer look at theUpdateWitness( )procedure: The list of the arguments ofUpdateWitness( )contains the valueV of the old accumulator and the valueV0 of the new ac-cumulator. Byf˜(X)let us define the new polynomial being the product of all the binomials(X + ˜x)such thatx˜ ∈ R. That is,
˜
f(X) = f(X)·(X +x0), ifx0 has been added to the setRof revoked values, andf˜(X) =f(X)/(X+x0), ifx0has been re-moved fromR. Note that in the latter case(X+x0)divides the old polynomialf(X).
Ifdeg ˜f is greater than the degree of any polynomialfresulting from the setRpublished so far, then the Revocation Authority is the only party capable to calculateV0. In this way, for consecutive
i= 1,2, . . ., the next valueΛifrom vector (11) is implicitly intro-duced to the system by the Revocation Authority. (Note thatΛ0is already a part of the public key of the Revocation Authority). Let
˜
f(X) =P0
i=k0a˜iXi, f(X) =P0i=kaiXi, wherek0 = deg ˜f, k = degf,˜ai ∈ Zq are coefficients of the polynomialf˜, andai ∈ Zq are coefficients of the polynomialf.
We have˜ak0 = 1andak= 1, andk0=k+ 1ifx0is added toR andk0=k−1ifx0is removed fromR. So the users see:
V0=Qki=00 Λ˜ai
i , V = Qk
i=0Λ ai i ,
and the newΛk+1 always appears in power one. This yields an alternative method to learngYj
t ,j= 1,2, . . ., by the users. By (9),
V0 = Q0 i=k0g
˜ ai·
αi1 +αi2
2
t =g
1 2
P0
i=k0˜ai(αi1+αi2)
t
= gf˜(α1)+ ˜f(α2)
t
12
=gf˜(α1)
t ·g ˜ f(α2)
t 12
,
V = gf(α1) t ·g
f(α2) t
12
.
Similarly, for
Yj= (αj1+α j 2)·2
−1
modq, (17) wherej= 0,1, . . ., we have from (16), (15) and (12) that the direct computation ofWidandQidsatisfies the following equations
Wid = Q0j=k−1Λ µid,j j =g
1 2
P0
j=k−1µid,j(αj1+α
j
2)
t
= ggid(α1) t ·g
gid(α2) t
12
, (18)
Qid = Q0j=k−1Λ µid,j j+1 =g
1 2
P0
j=k−1µid,j(αj1+1+α
j+1 2 )
t
= ggid(α1)·α1
t ·g
gid(α2)·α2
t
12
. (19)
Note that the formulas (18) and (19) are also satisfied for the initial cases: fork= 0, i.e. forR=∅(thengid(X)≡0), and fork= 1, when the first revoked value appears inR(thengid(X)≡1). We shall check that (18) and (19) are invariants of the procedure UpdateWitness( ), that is, it yields the same results as the di-rect computations. This means that replacing the vector (10) with the vector (11) cannot be detected by the users. This issue is also crucial for robustness of theVerifyNonRevocationProof( ): if (in case of the attack) the two methods that could be used by a user would yield different results, then the update made on the side of the Revocation Authority could disagree with the update made by the user, yielding a false verification result.
The case
add=true.
d0id := did·(x0−xid) =f(−xid)·(−xid+x0) = ˜f(−xid).
Wid0 := V ·W (x0−xid) id
= gf(α1)
t ·g f(α2)
t 12
·ggid(α1)
t ·g gid(α2)
t
12·(x0−xid)
=
gf(α1)+gid(α1)·(x0−xid)
t ·g
f(α2)+gid(α2)·(x0−xid) t
12
.
Since for “add=true” we have:
f(X) +gid(X)·(x0−xid) =f(X) +
f(X)−did
X+xid
·(x0−xid)
= f(X)·(X+xid) + (f(X)−did)·(x
0−
xid)
(X+xid)
= f(X)·(X+xid) +f(X)·(x
0−
xid)−did·(x0−xid)
(X+xid)
= f(X)·(X+x
0
)−d0id
(X+xid)
=f˜(X)−d
0
id
(X+xid)
where the polynomial
˜
gid(X) := ( ˜f(X)−d0id)/(X+xid) =P0j=k0−1µ˜id,jXj is the quotient polynomial corresponding tof˜(X), we have that
Wid0 =
g˜gid(α1)
t ·g ˜ gid(α2)
t 12
=Q0 j=k0−1Λ
˜ µid,j j . (20) (the latter equality follows from the equalities (18)). Similarly:
Q0id := V0·(Wid0 )
−xid·g−d0id t =
gf˜(α1)
t ·g ˜ f(α2)
t 12
·
g˜gid(α1)
t ·g ˜ gid(α2)
t
12−xid ·g−d
0 id t ·g
−d0id t
12
= gf˜(α1)−xid·˜gid(α1)−d0id
t ·g
˜
f(α2)−xid·g˜id(α2)−d0id t
12
.
Observe thatf˜(X)−xid·˜gid(X)−d0idcan be computed as
˜
gid(X)·(X+xid) +d
0
id
−xid·g˜id(X)−d
0
id= ˜gid(X)·X. Hence
Q0id=
g˜gid(α1)·α1
t ·g
˜ gid(α2)·α2
t
12
=Q0 j=k0−1Λ
˜ µid,j j+1 . (21) The latter equality follows from the equalities (19). From (20) and (21) it follows that in the case “add=true” theUpdateWitness( ) procedure and the direct method yield the same results.
The case
add=false.
Similarly as before we computed0id:=did·(x0−xid)−1=f(−xid)·(−xid+x0)−1= ˜f(−xid).
Wid0:=V
0−1·W id
(x0−xid)−1
=
gf˜(α1) t ·g
˜ f(α2) t
−12
·ggid(α1) t ·g
gid(α2) t
1
2
!(x0−xid)−1
=
g(gid(α1)−f˜(α1))·(x
0−x id)−1
t ·g
(gid(α2)−f˜(α2))·(x0−xid)−1 t
12
.
In the case “add=false”,x0is removed fromR, so
gid(X)−f˜(X)
·(x0−xid)−1
= (x0−xid)−1·
gid(X)−
f(X) (X+x0)
= (x0−xid)−1·
gid(X)·(X+x0)−f(X) (X+x0)
= (x0−xid)−1·
gid(X)·(X+x0)−(gid(X)·(X+xid) +did) (X+x0)
= (x0−xid)−1·
gid(X)·(x0−xid)−did (X+x0)
=gid(X)−did·(x
0−x
id)−1 (X+x0) =
gid(X)−d0id
(X+x0) . (22)
On the other hand, from the equality
f(X) = gid(X)·(X+xid) +did
= gid(X)·(X+xid) +d0id·(x
0
−xid) and the equality
f(X) = f˜(X)·(X+x0)
= g˜id(X)·(X+xid) +d0id
·(X+x0) = ˜gid(X)·(X+x0)·(X+xid) +d0id·(X+x
0
)
it follows that
gid(X)·(X+xid) +d0id·(x
0
−xid)
= ˜gid(X)·(X+x
0
)·(X+xid) +d
0
id·(X+x
0
).
The latter equality is equivalent to
gid(X)·(X+xid) +d0id·(x
0
−xid)−d0id·(X+x
0
) = g˜id(X)·(X+x0)·(X+xid),
which in turn is equivalent to the equality
gid(X)·(X+xid)−d
0
id·(X+xid) = ˜gid(X)·(X+x
0
)·(X+xid). Consequently,
gid(X)−d
0
id= ˜gid(X)·(X+x
0
).
Hence in (22) gid(X)−f˜(X)
·(x0−xid)−1= ˜gid(X).Therefore by (18) we get:
Wid0 =
g˜gid(α1)
t ·g ˜ gid(α2)
t 12
=Q0 j=k0−1Λ
˜ µid,j j .
The reasoning forQ0idis exactly the same as in the case “add=true”. Accordingly, theUpdateWitness( )procedure and the direct method again yield the same results.
4.4.3
Tracing the users
We assume that the Revocation Authority knows all the valuesxid. Sincegδ =Kwe haveXδ/Y =Widδ/Qid. From (8), (12) and (13) forYjdefined in (17) we have:
Widδ
Qid
= W
α1 +α2 2
id
Qid
= g
gid(α1)+gid(α2)
t
12α1 +2α2
ggid(α1)·α1+gid(α2)·α2
t
12
= ggid(α1)·
α
1 +α2 2 −α1
+gid(α2)·
α
1 +α2 2 −α2
t
12
=
ggid(α1)·(α2−α1)+gid(α2)·(α1−α2)
t
14
= ggid(α1)−gid(α2)
t
α2−4α1
That is
Xδ Y
4·(α2−α1)−1modq
=ggid(α1)−gid(α2)
t . (23)
The exponent in the right hand side should depend onxidfor poly-nomialfsuch thatdegf≥3(note that the free coefficient of the polynomialgid(X)disappears in the differencegid(α1)−gid(α2), and that gid(X) is monic, so the leading coefficient of gid(X) carries no information about xid). Hence in the worst case the Revocation Authority may collude with three users to ensure that
degf≥3.
Similarly like in Subsect.4.3tracing is possible even ifY is not contained in the output of the non-revocation proof. We may use formula (23) to design an alternative version of the attack.
5.
FINAL REMARKS
for new trapdoors. Definitely, since U-Prove is a proprietary sys-tem, this is the role of its designers decide how to patch the system. In our attacks the Revocation Authority learns the revocation at-tribute when asked for checkingX andY. Interestingly, for [8] the non-revocation proof is checked by the verifier himself and all attack scenarios from this paper do not apply.
A general suggestion is to separate strictly the verifier and the Re-vocation Authority and blind the parametersX, Y before passing them to the Revocation Authority. That is, instead ofX, Y the Re-vocation Authority should getX0=Xt, Y0=Ytfor a randomt. Of course, this does not secure the user against collusion between the verifier and the Revocation Authority, as the verifier must use the originalX, Y as arguments for the hash functionH. So again, the user has to trust blindly the verifier.
6.
REFERENCES
[1] Security Team, IBM Research Zurich: Specification of the Identity Mixer Cryptographic Library. IBM Research Report 3730, IBM Research (2010). Available from:http: //domino.research.ibm.com/library/cyberdig. nsf/papers/EEB54FF3B91C1D648525759B004FBBB1/ $File/rz3730_revised.pdf
[2] Paquin, C.: On the Revocation of U-Prove Tokens. Tech. Report, Microsoft Research (September 2014). Available from:http://research.microsoft.com/pubs/ 228729/On%20the%20revocation%20of%20U-Prove% 20tokens.pdf
[3] Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Pfitzmann, B., ed.: EUROCRYPT. Vol. 2045 of LNCS, Springer (2001) 93–118
[4] Paquin, C., Zaverucha, G.: U-Prove cryptographic specification v1.1 (revision 3). Technical report (December 2013).http://research.microsoft.com/apps/ pubs/default.aspx?id=166969
[5] Brands, S.: Untraceable off-line cash in wallets with observers (extended abstract). In Stinson, D.R., ed.: CRYPTO. Volume 773 of LNCS, Springer (1993) 302–318 [6] Brands, S.A.: Rethinking Public Key Infrastructures and
Digital Certificates: Building in Privacy. 1 edn. MIT Press, Cambridge-London (2000).http://www.credentica. com/the_mit_pressbook.html
[7] Microsoft: U-Prove. Webpage of the project (retrieved 2014).http://research.microsoft.com/en-us/ projects/u-prove/
[8] Acar, T., Chow, S.S.M., Nguyen, L.: Accumulators and U-Prove revocation. In Sadeghi, A.R., ed.: Financial Cryptography. Vol. 7859 of LNCS, Springer (2013) 189–196 [9] Nguyen, L., Paquin, C.: U-Prove designated-verifier
accumulator revocation extension. Technical Report Draft Revision 1, Microsoft Research (September 2013 (updated February 2014)).http:
//research.microsoft.com/pubs/200817 [10] Nguyen, L., Paquin, C.: U-Prove designated-verifier
accumulator revocation extension. Technical Report Draft Revision 2, Microsoft Research (July 2014).
http://research.microsoft.com/apps/pubs/ default.aspx?id=219671
[11] Hanzlik, L., Kluczniak, K., Kutyłowski, M.: Attack on a U-Prove revocation scheme. In: Financial
Cryptography’2014, to appear in LNCS
[12] ABC4TRUST. Webpage of the project (retrieved 2014). https://abc4trust.eu/
[13] Dahlquist, G., Åke Björck: Numerical Methods in Scientific Computing: Volume 1. Society for Industrial and Applied Mathematics, Philadelphia, PA, USA (2008)
[14] Shoup, V.: NTL: A library for doing number theory. http://www.shoup.net/ntl/(2014) Ver.6.1. [15] European Network of Excellence in Cryptology II: Main
APPENDIX
A.
EQUIVALENCE OF THE WAYS OF
COM-PUTING
T1,
T2,T3In this section we show that the ways of computingT1,T2andT3 by the proceduresGenerateNonRevocationProof()and VerifyNonRevocationProof()are equivalent. The main point is that this holds even if the parameterdis manipulated and not computed according toComputeWitness(). Otherwise, we assume that the remaining parameters are computed as described in Sect.2.
First we check two ways of computingT1. According to GenerateNonRevocationProof()
T1=Xk1(˜cidK)−k2g1k3
whileVerifyNonRevocationProof()states that
T1= (V Y−1(Cd)−1)c 0
Xs1(˜c
idK)−s2gs13 Hence we have to prove that
(V Y−1(Cd)
−1
)c0Xs1(˜c
idK)
−s2gs3
1 ?
=Xk1(˜c
idK)
−k2gk3
1 Below we get a sequence of equations equivalent to the inspected one:
(V Y−1(Cd)−1)c 0
Xs1−k1(˜c
idK)−s2+k2g1s3−k3 ?
= 1 (V Y−1(Cd)−1)c
0
X−c0xid(˜c idK)c
0t
1g−c0z
1 ?
= 1
V Y−1(C
d)−1X−xid(˜cidK)t1g1−z ?
= 1
V(QKt1)−1(C
d)−1X−xid(˜cidK)t1g−1z ?
= 1
V Q−1(Cd)−1X−xid(˜cid)t1g−1z ?
= 1
V(V W−xidg−d t )
−1(C
d)−1X−xid(˜cid)t1g−1z ?
= 1
Wxidgd
t(Cd)−1X−xid(˜cid)t1g−1z ?
= 1
Wxidgd
t(Cd)−1(W gt1)−xid(˜cid)t1g−1z ?
= 1
gd
t(Cd)−1(gt1)−xid(˜cid)t1g−1z ?
= 1
gtd(gtdg t2
1 )
−1
(gt1)−xid(˜c id)t1g−1z
?
= 1
g−t2
1 (g
t1)−xid(˜c id)t1g−1z
?
= 1
g−t2
1 (g
t1)−xid(˜c id)t1g
−(t1o˜id−t2) 1
?
= 1 (gt1)−xid(˜c
id)t1g
−t1o˜id 1
?
= 1 (gt1)−xid(gxidgo˜id
1 )
t1g−t1˜oid 1
?
= 1
The last equation is obviously true.
Similarly, we have to check equivalence of two ways of computing
T2, which is once computed as˜cc 0 idg
s1gs4
1 and once asg k1gk4
1 . The following equations are equivalent:
gk1gk4
1 ?
= ˜ccid0g s1gs4
1
1= ˜? cc0 idgs1
−k1gs4−k4
1
1= ˜? ccid0g
−c0xidg−c0˜oid 1
1= (? gxidg˜oid 1 )
c0
g−c0xidg−c0˜oid 1 The last equation is obviously true.
Finally, we check equivalence of two ways of computingT3:
Ck5
d g k6
1 ?
=gct0(Cd)s5g1s6
1=? gc0
t (Cd)s5−k5gs16−k6
1=? gct0(Cd)−c 0w
g1−c0z0
1=? gtCd−wg−z 0 1
1=? gt(gtdg t2
1 )
−w
g−1z0
1=? gt1−dw(g t2
1 )
−w
g1−z0
1= (? gt2
1 )
−wg−z0 1
1= (? g−t2w−z0
1 )
