Fully Anonymous Attribute Tokens from Lattices [chapter]

Jan Camenisch, Gregory Neven, Markus Rückert
2012 Lecture Notes in Computer Science  
Anonymous authentication schemes such as group signatures and anonymous credentials are important privacy-protecting tools in electronic communications. The only currently known scheme based on assumptions that resist quantum attacks is the group signature scheme by Gordon et al. (ASIACRYPT 2010). We present a generalization of group signatures called anonymous attribute tokens where users are issued attribute-containing credentials that they can use to anonymously sign messages and generate
more » ... ens revealing only a subset of their attributes. We present two lattice-based constructions of this new primitive, one with and one without opening capabilities for the group manager. The latter construction directly yields as a special case the first lattice-based group signature scheme offering full anonymity (in the random-oracle model), as opposed to the practically less relevant notion of chosen-plaintext anonymity offered by the scheme of Gordon et al. We also extend our scheme to protect users from framing attacks by the group manager, where the latter creates tokens or signatures in the name of honest users. Our constructions involve new lattice-based tools for aggregating signatures and verifiable CCA2-secure encryption. This work was supported by CASED (www.cased.de) and ECRYPT II (http://www.ecrypt.eu.org/). 1 Note that secret keys can always be made of constant length by storing the random seed used to generate the key instead of the key itself. Likewise, one can always publish the hash of the public key instead of the public key itself. The first trick involves re-generating keys, which is particularly costly in lattice-based schemes that use trapdoors. The latter trick comes at the cost of having to attach the full public key to each signature or token. 2 The "selective-policy" anonymity notion of [Kha07] allows linkability of signatures when a signer signs the same message with the same set of revealed attributes twice. The traceability notion merely implies that any valid signature will open to some user. There is no guarantee that it opens to the actual signer behind the signature, however, nor does the notion offer any protection against users claiming attributes that they do not possess.
doi:10.1007/978-3-642-32928-9_4 fatcat:khkufyiwvndenor562we2xuvwy