Formal Analysis of a TTP-Free Blacklistable Anonymous Credentials System (Full Version)

This paper firstly introduces a novel security definition for BLAC-like schemes (BLAC represents TTP-free BLacklist-able Anonymous Credentials) in the symbolic model using applied pi calculus, which is suitable for automated reasoning via a certain formal analysis tool. We model the definitions of some common security properties: authenticity, non-framebility, mis-authentication resistance and privacy (anonymity and unlinkability). Then the case study of these security definitions is demonstrated by modelling and analyzing BLACR (BLAC with Reputation) system. We verify these security properties by Blanchet’s ProVerif and a ZKP (Zero-Knowledge Proof) compiler developed by Backes et al.. In particular, we model and analyze the express-lane authentication in BLACR system. The analysis discovers a known attack that can be carried out by any potential user. This attack allows a user escaping from being revoked as he wishes. We provide a revised variant that can be proved successfully by ProVerif as well, which also indicates that the fix provided by ExBLACR (Extending BLACR) is incorrect

Blacklistable Anonymous Credentials: Blocking Misbehaving Users without TTPs (Extended Version)

Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user\u27s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems such as ``e-cash\u27\u27 have been proposed in which users are deanonymized under only certain types of well-defined misbehavior such as ``double spending.\u27\u27 While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior. We present the first anonymous credential system in which services can ``blacklist\u27\u27 misbehaving users without contacting a TTP. Since blacklisted users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP

Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments

Decentralized systems are a subset of distributed systems where multiple authorities control different components and no authority is fully trusted by all. This implies that any component in a decentralized system is potentially adversarial. We revise fifteen years of research on decentralization and privacy, and provide an overview of key systems, as well as key insights for designers of future systems. We show that decentralized designs can enhance privacy, integrity, and availability but also require careful trade-offs in terms of system complexity, properties provided, and degree of decentralization. These trade-offs need to be understood and navigated by designers. We argue that a combination of insights from cryptography, distributed systems, and mechanism design, aligned with the development of adequate incentives, are necessary to build scalable and successful privacy-preserving decentralized systems

Attribute-based Anonymous Credential: Optimization for Single-Use and Multi-Use

User attributes can be authenticated by an attribute-based anonymous credential while keeping the anonymity of the user. Most attribute-based anonymous credential schemes are designed specifically for either multi-use or single-use. In this paper, we propose a unified attribute-based anonymous credential system, in which users always obtain the same format of credential from the issuer. The user can choose to use it for an efficient multi-use or single-use show proof. It is a more user-centric approach than the existing schemes. Technically, we propose an interactive approach to the credential issuance protocol using a two-party computation with an additive homomorphic encryption. At the same time, it keeps the security property of impersonation resilience, anonymity, and unlinkability. Apart from the interactive protocol, we further design the show proofs for efficient single-use credentials which maintain the user anonymity

Zero-Knowledge Proof-of-Identity: Sybil-Resistant, Anonymous Authentication on Permissionless Blockchains and Incentive Compatible, Strictly Dominant Cryptocurrencies

Zero-Knowledge Proof-of-Identity from trusted public certificates (e.g., national identity cards and/or ePassports; eSIM) is introduced here to permissionless blockchains in order to remove the inefficiencies of Sybil-resistant mechanisms such as Proof-of-Work (i.e., high energy and environmental costs) and Proof-of-Stake (i.e., capital hoarding and lower transaction volume). The proposed solution effectively limits the number of mining nodes a single individual would be able to run while keeping membership open to everyone, circumventing the impossibility of full decentralization and the blockchain scalability trilemma when instantiated on a blockchain with a consensus protocol based on the cryptographic random selection of nodes. Resistance to collusion is also considered. Solving one of the most pressing problems in blockchains, a zk-PoI cryptocurrency is proved to have the following advantageous properties: - an incentive-compatible protocol for the issuing of cryptocurrency rewards based on a unique Nash equilibrium - strict domination of mining over all other PoW/PoS cryptocurrencies, thus the zk-PoI cryptocurrency becoming the preferred choice by miners is proved to be a Nash equilibrium and the Evolutionarily Stable Strategy - PoW/PoS cryptocurrencies are condemned to pay the Price of Crypto-Anarchy, redeemed by the optimal efficiency of zk-PoI as it implements the social optimum - the circulation of a zk-PoI cryptocurrency Pareto dominates other PoW/PoS cryptocurrencies - the network effects arising from the social networks inherent to national identity cards and ePassports dominate PoW/PoS cryptocurrencies - the lower costs of its infrastructure imply the existence of a unique equilibrium where it dominates other forms of paymentComment: 2.1: Proof-of-Personhood Considered Harmful (and Illegal); 4.1.5: Absence of Active Authentication; 4.2.6: Absence of Active Authentication; 4.2.7: Removing Single-Points of Failure; 4.3.2: Combining with Non-Zero-Knowledge Authentication; 4.4: Circumventing the Impossibility of Full Decentralizatio

PPAA: Peer-to-Peer Anonymous Authentication (Extended Version)

In the pursuit of authentication schemes that balance user privacy and accountability, numerous anonymous credential systems have been constructed. However, existing systems assume a client-server architecture in which only the clients, but not the servers, care about their privacy. In peer-to-peer (P2P) systems where both clients and servers are peer users with privacy concerns, no existing system correctly strikes that balance between privacy and accountability. In this paper, we provide this missing piece: a credential system in which peers are {\em pseudonymous} to one another (that is, two who interact more than once can recognize each other via pseudonyms) but are otherwise anonymous and unlinkable across different peers. Such a credential system finds applications in, e.g., Vehicular Ad-hoc Networks (VANets) and P2P networks. We formalize the security requirements of our proposed credential system, provide a construction for it, and prove the security of our construction. Our solution is efficient: its complexities are independent of the number of users in the system

Nymbler: Privacy-enhanced Protection from Abuses of Anonymity

Anonymous communications networks help to solve the real and important problem of enabling users to communicate privately over the Internet. However, by doing so, they also introduce an entirely new problem: How can service providers on the Internet---such as websites, IRC networks and mail servers---allow anonymous access while protecting themselves against abuse by misbehaving anonymous users? Recent research efforts have focused on using anonymous blacklisting systems (also known as anonymous revocation systems) to solve this problem. As opposed to revocable anonymity systems, which enable some trusted third party to deanonymize users, anonymous blacklisting systems provide a way for users to authenticate anonymously with a service provider, while enabling the service provider to revoke access from individual misbehaving anonymous users without revealing their identities. The literature contains several anonymous blacklisting systems, many of which are impractical for real-world deployment. In 2006, however, Tsang et al. proposed Nymble, which solves the anonymous blacklisting problem very efficiently using trusted third parties. Nymble has inspired a number of subsequent anonymous blacklisting systems. Some of these use fundamentally different approaches to accomplish what Nymble does without using third parties at all; so far, these proposals have all suffered from serious performance and scalability problems. Other systems build on the Nymble framework to reduce Nymble's trust assumptions while maintaining its highly efficient design. The primary contribution of this thesis is a new anonymous blacklisting system built on the Nymble framework---a nimbler version of Nymble---called Nymbler. We propose several enhancements to the Nymble framework that facilitate the construction of a scheme that minimizes trust in third parties. We then propose a new set of security and privacy properties that anonymous blacklisting systems should possess to protect: 1) users' privacy against malicious service providers and third parties (including other malicious users), and 2) service providers against abuse by malicious users. We also propose a set of performance requirements that anonymous blacklisting systems should meet to maximize their potential for real-world adoption, and formally define some optional features in the anonymous blacklisting systems literature. We then present Nymbler, which improves on existing Nymble-like systems by reducing the level of trust placed in third parties, while simultaneously providing stronger privacy guarantees and some new functionality. It avoids dependence on trusted hardware and unreasonable assumptions about non-collusion between trusted third parties. We have implemented all key components of Nymbler, and our measurements indicate that the system is highly practical. Our system solves several open problems in the anonymous blacklisting systems literature, and makes use of some new cryptographic constructions that are likely to be of independent theoretical interest

Privacy-Preserving and Regulation-Enabled Mechanisms for Blockchain-based Financial Services

With the success of cryptocurrencies such as Bitcoin, blockchain technology has attracted extensive attention from both academia and industry. As a distributed ledger technology, blockchain provides decentralization and immutability, and can build trust among multiple parties. Owning to these unique characteristics, blockchain has become an innovative approach to secure and reliable record-keeping and transaction execution, and has the potential to revolutionize the financial industry and drive economic change on a global scale. For example, it can streamline banking and lending services, enable decentralized trading, and facilitate cross-border payment transactions. Although blockchain is expected to create a new paradigm for the financial industry, transactions stored on the blockchain are shared among the nodes in the blockchain network, which may contain sensitive information of users, such as the identities of senders and receivers, and the contents of transactions. Thus, privacy preservation should be achieved when applying blockchain to different financial services. Many privacy-preserving mechanisms have been proposed to guarantee identity privacy and data confidentiality for blockchain-based transactions. However, the strong degree of privacy may create new regulatory concerns. First, in privacy-preserving mortgage lending, there exists double-mortgage fraud, by which a borrower can use the same asset as collateral to obtain multiple loans from different financial institutions. Second, in decentralized data trading, data buyers may refuse to pay funds to data sellers after obtaining data, and data sellers may send fake data to data buyers. Verifying data availability and retrievability without viewing data before payment for fair trading is a challenging issue. Moreover, the identity privacy of data sellers should be preserved during the trading. Third, in privacy-preserving blockchain-based payment systems, the identities of the payer, payee, and transferred amount are protected. Nevertheless, the anonymity of transactions can be exploited for illegal activities, such as money laundering. Thus, considering the strict regulatory requirements of the financial industry, such as limiting the amount of cryptocurrency transferred over a period of time, privacy preservation and regulation should be balanced in blockchain-based financial services. In this thesis, we focus on three major blockchain-based financial services to concentrate on how to solve the dilemma between privacy protection and strict regulatory requirements at various phases in the fund flow, which are lending, trading, and payment. Firstly, the thesis investigates the borrower privacy and double-mortgage regulation issues in mortgage lending, and proposes a blockchain-based privacy-preserving and accountable mortgage data management scheme. In the scheme, the mortgage data of borrowers can be shared on the blockchain to detect the double-mortgage fraud without revealing the identity of borrowers. But financial institutions can still uncover the identity of a dishonest borrower if he/she pledges the same asset for multiple mortgages, which is achieved by integrating cryptographic tools such as verifiable secret sharing, zero-knowledge proof, and ElGamal encryption. A mortgage request contains a share of identity information of the borrower and the ownership certificate of an asset. By utilizing ElGamal encryption and verifiable secret sharing, the borrower can prove that its identity information is indeed included in the mortgage request and can be used to reconstruct its identity when double-mortgage behavior is detected. Secondly, the thesis investigates the identity privacy and trading-misbehavior regulation in blockchain-based data trading. Blockchain can build trust between data buyers and data sellers. To resolve the fairness issue of demonstrating data availability and retrievability without leaking data while preserving identity privacy of data sellers, we propose a blockchain-based fair data trading protocol with privacy preservation, where a data buyer can declare data requirements and acceptable issuers of data, and a data seller can conduct privacy-preserving and fine-grained data selling. We first define the fairness and privacy demands for both parties. By incorporating anonymous attribute-based credentials, structure-preserving signatures, and zero-knowledge proofs, data can be traded in part while data authenticity is guaranteed and data issuers are hidden. A smart contract is utilized to realize atomic transactions. Security proof is provided to demonstrate that the scheme can achieve privacy preservation and fairness for the participants. Thirdly, the thesis investigates the transaction privacy and anti-money laundering regulation issues in distributed anonymous payment (DAP) systems. To solve the conflict between privacy and regulation, we propose a novel DAP scheme that supports regulatory compliance and enforcement. We first introduce regulators into the system, who define regulatory policies, including limiting the total amount of cryptocurrency one can transfer and the frequency of transactions one can conduct in a time period. The policies are enforced through commitments and non-interactive zero-knowledge proofs for compostable statements. By this, users can prove that transactions are valid and comply with regulations. We use both Zero-knowledge Succinct Non-Interactive Arguments of Knowledge (Zk-SNARKs) and sigma protocols to generate the zero-knowledge proofs for regulation compliance. A tracing mechanism is designed in the scheme to allow regulators to recover the real identities of users when suspicious transactions are detected. In summary, this thesis proposes effective privacy-preserving and regulation-enabled solutions for blockchain-based lending, data trading, and anonymous payment. The results from the thesis should shed light for future study on blockchain-based systems where privacy preservation and regulation are required

Hardware-Assisted Secure Computation

The theory community has worked on Secure Multiparty Computation (SMC) for more than two decades, and has produced many protocols for many settings. One common thread in these works is that the protocols cannot use a Trusted Third Party (TTP), even though this is conceptually the simplest and most general solution. Thus, current protocols involve only the direct players---we call such protocols self-reliant. They often use blinded boolean circuits, which has several sources of overhead, some due to the circuit representation and some due to the blinding. However, secure coprocessors like the IBM 4758 have actual security properties similar to ideal TTPs. They also have little RAM and a slow CPU.We call such devices Tiny TTPs. The availability of real tiny TTPs opens the door for a different approach to SMC problems. One major challenge with this approach is how to execute large programs on large inputs using the small protected memory of a tiny TTP, while preserving the trust properties that an ideal TTP provides. In this thesis we have investigated the use of real TTPs to help with the solution of SMC problems. We start with the use of such TTPs to solve the Private Information Retrieval (PIR) problem, which is one important instance of SMC. Our implementation utilizes a 4758. The rest of the thesis is targeted at general SMC. Our SMC system, Faerieplay, moves some functionality into a tiny TTP, and thus avoids the blinded circuit overhead. Faerieplay consists of a compiler from high-level code to an arithmetic circuit with special gates for efficient indirect array access, and a virtual machine to execute this circuit on a tiny TTP while maintaining the typical SMC trust properties. We report on Faerieplay\u27s security properties, the specification of its components, and our implementation and experiments. These include comparisons with the Fairplay circuit-based two-party system, and an implementation of the Dijkstra graph shortest path algorithm. We also provide an implementation of an oblivious RAM which supports similar tiny TTP-based SMC functionality but using a standard RAM program. Performance comparisons show Faerieplay\u27s circuit approach to be considerably faster, at the expense of a more constrained programming environment when targeting a circuit

Efficient Zero-Knowledge Proofs and Applications

Zero-knowledge proofs provide a means for a prover to convince a verifier that some claim is true and nothing more. The ability to prove statements while conveying zero information beyond their veracity has profound implications for cryptography and, especially, for its applicability to privacy-enhancing technologies. Unfortunately, the most common zero-knowledge techniques in the literature suffer from poor scalability, which limits their usefulness in many otherwise promising applications. This dissertation addresses the problem of designing communication- and computation-efficient protocols for zero-knowledge proofs and arguments of propositions that comprise many "simple" predicates. In particular, we propose a new formal model in which to analyze batch zero-knowledge protocols and perform the first systematic study of systems for batch zero-knowledge proofs and arguments of knowledge. In the course of this study, we suggest a general construction for batch zero-knowledge proof systems and use it to realize several new protocols suitable for proving knowledge of and relationships among large batches of discrete logarithm (DL) representations in prime-order groups. Our new protocols improve on existing protocols in several ways; for example, among the new protocols is one with lower asymptotic computation cost than any other such system in the literature. We also tackle the problem of constructing batch proofs of partial knowledge, proposing new protocols to prove knowledge of a DL that is equal to at least k-out-of-n other DLs, at most k-out-of-n other DLs, or exactly k-out-of-n other DLs. These constructions are particularly interesting as they prove some propositions that appear difficult to prove using existing techniques, even when efficiency is not a primary consideration. We illustrate the applicability of our new techniques by using them to construct efficient protocols for anonymous blacklisting and reputation systems