Wouter Lueks

On Linkability and Malleability in Self-blindable Credentials

Self-blindable credential schemes allow users to anonymously prove ownership of credentials. This is achieved by randomizing the credential before each showing in such a way that it still remains valid. As a result, each time a different version of the same credential is presented. A number of such schemes have been proposed, but unfortunately many of them are broken, in the sense that they are linkable i.e., failing to protect the privacy of the user, or malleable i.e., they allow users to create new credentials using one or more valid credentials given to them. In this paper we prove a general theorem that relates linkability and malleability in self-blindable credential schemes, and that can test whether a scheme is linkable or malleable. After that we apply the theorem to a number of self-blindable credential schemes to show that they suffer from one or both of these issues.

Sublinear Scaling for Multi-Client Private Information Retrieval

Private information retrieval (PIR) allows clients to retrieve records from online database servers without revealing to the servers any information about what records are being retrieved. To achieve this, the servers must typically do a computation involving the entire database for each query. Previous work by Ishai et al. has suggested using batch codes to allow a single client (or collaborating clients) to retrieve multiple records simultaneously while allowing the server computation to scale sublinearly with the number of records fetched.

Fast Revocation of Attribute-Based Credentials for Both Users and Verifiers

Attribute-based credentials allow a user to prove properties about herself anonymously. Revoking such credentials, which requires singling them out, is hard because it is at odds with anonymity. All revocation schemes proposed to date either sacrifice anonymity altogether, require the parties to be online, or put high load on the user or the verifier. As a result, these schemes are either too complicated for low-powered devices like smart cards or they do not scale. We propose a new revocation scheme that has a very low computational cost for users and verifiers, and does not require users to process updates. We trade only a limited, but well-defined, amount of anonymity to make the first practical revocation scheme that is efficient at large scales and fast enough for smart cards.

Designated attribute-based proofs for RFID applications

Recent research has shown that using public-key cryptography in order to meet privacy requirements for RFID tags is not only necessary, but also now practically feasible. This has led to the development of new protocols like the Randomized Schnorr [6] identification protocol. This protocol ensures that the identity of a tag only becomes known to authorised readers. In this paper we generalize this protocol by introducing an attribute-based identification scheme. The proposed scheme preserves the designation of verification (i.e., only an authorised reader is able to learn the identity of a tag) while it allows tags to prove any subset of their attributes to authorised readers. The proposed scheme is proven to be secure and narrow-strong private.

Fast revocation of attribute-based credentials for both users and verifiers☆

Attribute-based credentials allow a user to prove properties about herself anonymously. Revoking such credentials, which requires singling them out, is hard because it is at odds with anonymity. All revocation schemes proposed to date either sacrifice anonymity altogether, require the parties to be online, or put high load on the user or the verifier. As a result, these schemes are either too complicated for low-powered devices such as smart cards or they do not scale. We propose a new revocation scheme that has a very low computational cost for users and verifiers, and does not require users to process updates. We trade only a limited, but well-defined, amount of anonymity to make the first practical revocation scheme that is efficient at large scales and fast enough for smart cards.

Revocable Privacy: Principles, Use Cases, and Technologies

Security and privacy often seem to be at odds with one another. In this paper, we revisit the design principle of revocable privacy which guides the creation of systems that offer anonymity for people who do not violate a predefined rule, but can still have consequences for people who do violate the rule. We first improve the definition of revocable privacy by considering different types of sensors for users’ actions and different types of consequences of violating the rules (for example blocking). Second, we explore some use cases that can benefit from a revocable privacy approach. For each of these, we derive the underlying abstract rule that users should follow. Finally, we describe existing techniques that can implement some of these abstract rules. These descriptions not only illustrate what can already be accomplished using revocable privacy, they also reveal directions for future research.

Vote to Link: Recovering from Misbehaving Anonymous Users

Service providers are often reluctant to support anonymous access, because this makes it hard to deal with misbehaving users. Anonymous blacklisting and reputation systems can help prevent misbehaving users from causing more damage. However, by the time the user is blocked or has lost reputation, most of the damage has already been done. To help the service provider to recover from abuse by malicious anonymous users, we propose the vote-to-link system. In the vote-to-link system, moderators (rather than a single trusted third party) can cast votes on a users action if they deem it to be bad. After enough moderators have voted on the action, the service provider can use these votes to link all the actions by the same user within a limited time frame and thus recover from these actions. All the users actions in other time frames, however, remain unlinkable. To protect the voting moderators from retaliation, we also propose a (less efficient) variant that allows moderators to vote anonymously. We implemented and evaluated both variants to show that they are practical. In particular, we believe this system is suitable to combat malicious Wikipedia editing.

Forward-Secure Distributed Encryption

Distributed encryption is a cryptographic primitive that implements revocable privacy. The primitive allows a recipient of a message to decrypt it only if enough senders encrypted that same message. We present a new distributed encryption scheme that is simpler than the previous solution by Hoepman and Galindo–in particular it does not rely on pairings–and that satisfies stronger security requirements. Moreover, we show how to achieve key evolution, which is necessary to ensure scalability in many practical applications, and prove that the resulting scheme is forward secure. Finally, we present a provably secure batched distributed encryption scheme that is much more efficient for small plaintext domains, but that requires more storage