A new approach to efficient revocable attribute-based anonymous credentials

Abstract

Recently, a new paradigm to construct very efficient multishow attribute-based anonymous credential (ABC) systems has been introduced in Asiacrypt’14. Here, structure-preserving signatures on equivalence classes (SPS-EQ-R), a novel flavor of structure-preserving signatures (SPS), and randomizable polynomial commitments are elegantly combined to yield the first ABC systems with O(1) credential size and O(1) communication bandwidth during issuing and showing. It has, however, been left open to present a full-fledged revocable multishow attribute-based anonymous credential (RABC) system based on the aforementioned paradigm. As revocation is a highly desired and important feature when deploying ABC systems in a practical setting, this is an interesting challenge. To this end, we propose an RABC system which builds upon the aforementioned ABC system, preserves its nice asymptotic properties and is in particular entirely practical. Our approach is based on universal accumulators, which nicely fit to the underlying paradigm. Thereby, in contrast to existing accumulator-based revocation approaches, we do not require complex zero-knowledge proofs of knowledge (ZKPKs) to demonstrate the possession of a non-membership witness for the accumulator. This is in part due to the nice rerandomization properties of SPS-EQ-R. Thus, this makes the entire RABC system conceptually simple, efficient and represents a novel direction in credential revocation. We also propose a game-based security model for RABC systems and prove the security of our construction in this model. Finally, to demonstrate the value of our novel approach, we carefully adapt an efficient existing universal accumulator approach (as applied within Microsoft’s U-Prove) to our setting and compare the two revocation approaches when used with the same underlying ABC system.