With the proliferation of various computer communication networks, over which diverse applications have been launched, the protection of consumer privacy in authorization based applications is a challenge that can be postponed no longer.
Logically, authorization is preceded by authentication because authentication ensures that a user is who he/she claims to be while authorization allows the user access to various services based on the user's identity. Current industrial practice such as Access Control List (ACL) implements authorization by retrieving user's credentials from a local database and then checking that user's credentials satisfy given access control policy associated with the resource. Since disclosing user's unique identity to resource protector is necessary so as to retrieve the user's credentials, such practice achieves secure authorization at the cost of user privacy.
As illustrated in FIG. 16, an authorization system has, as types of parties, Pseudonym Authority (PA), user, Resource Holder (RH), and Resource Protector (RP). PA is, for example, a server or the like coupled to a network and managing the use of pseudonyms in the system. RH is for example a workstation having content data, computation resources, and the like thereon, or a server providing certain services and so on, which is coupled to the network. RP is, for example, a login server or the like coupled to the network and controlling the access to the resources. A user may access the resource by using a pseudonym with, for example, a personal computer (PC) or a terminal coupled to the network.
PA serves as trusted third party that is capable of granting a pseudonym to the user, tracing a suspicious user, and revoking a misbehaving user.
RH manages several resources and grants access rights, i.e. credentials, to the user.
RP guards resources and verifies credentials of the user. It should be noted that a user may demonstrate credentials issued by different RHs to a RP, which is a common practice of authorization system. To illustrate, if a user is both gold customer of Company A (with a credential from a first RH) and Company B (with a credential from a second RH), then he is given with gold member's access right on resources of Company C (by RP for a third RH).
It's desirable to realize a high-privacy authorization system having any of the following characteristics:
(1) Unlinkable Anonymity. It's hard for the RH(s) to ascertain the identity of the user after multiple interactions between the user and the RH(s). Moreover, it's hard for the RP(s) to ascertain the identity of the user after multiple interactions between the user and the RP(s).
(2) Scalability. A user anonymously demonstrates credential(s) to a RP and convinces the RP without involving a third party online. In particular, it doesn't get the RH(s) to reissue credentials for each interaction between the user and the RP(s).
(3) Fine-Grained Anonymity. Instead of always demonstrating the entire credentials to RP(s), the user is able to select any portion of his credentials to demonstrate to the RP(s).
(4) Fine-Grained Revocability. Revocation of credential(s) may take place at a per-user and per-right basis. Any access right of a user, i.e. any credential of the user, could be revoked without affecting other credentials of the user.
(5) Constant Expensive Computation. When Fine-Grained Anonymity is achieved, the amount of expensive cryptographic computations is independent of the number of credentials selected to demonstrate. For instance, scalar multiplication, modular exponentiation, and pairing evaluation are in general considered expensive. Moreover, when Fine-Grained Revocability is achieved, the amount of expensive cryptographic computations is independent of the number of credentials selected in verifying the revocation.
(6) Expandability. In case the authorization system expands to accommodate a new RH or an existing RH expands to manage a new resource, there is no need to alter credentials the users already hold. In particular, re-issuance of any issued credential should be avoided.
It is first introduced in D. Chaum, J. H. Evertst, A Secure and Privacy-protecting Protocol for Transmitting Personal Information Between Organizations, in Proc. of Advances in Cryptology—Crypto '86, LNCS vol. 263, pp. 118-167, 1986, a scenario with multiple users that request credentials from resource holders and anonymously demonstrate credentials to resource protectors. In this paper and those followed, the term “organization” was used to represent a logical combination of resource holders and resource protectors.
The scheme proposed by Chaum et al is based on having a trusted third party involved in all interactions. Later schemes proposed by Chen (see L. Chen, Access with Pseudonyms, In Proc. of International Conference on Cryptography: Policy and Algorithms, LNCS vol. 1029, pp. 232-243, 1995) and Lysyanskaya et al. (see A. Lysyanskaya, R. Rivest, A. Sahai, S. Wolf, Pseudonym Systems. In Proc. of Selected Areas in Cryptography, LNCS vol. 1758, pp. 184-199, 1999) rely on trusted third party involved in all interactions as well. In order to be unlinkable, getting the resource holder to reissue credentials for each interaction between the user and the resource protector is inevitable. Hence these anonymous credential schemes are not scalable.
In addition, Camenisch et al. also proposed two anonymous credential schemes (see J. Camenisch, A. Lysyanskaya, An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation, In Proc. of Advances in Cryptology-EuroCrypto'01, LNCS vol. 2045, pp. 93-118, 2001, and J. Camenisch, A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps, In Proc. of Advances in Cryptology-Crypto'04, LNCS vol. 3152, pp. 56-72, 2004), which achieve unlinkable anonymity and scalability.
However, with the above-mentioned traditional schemes, the resources a resource holder can manage are determined by some parameters inside the resource holder's public key. Any modification to the parameters inevitably leads to refreshing credentials already issued. Therefore, expandability is not achieved.
And, with the traditional schemes, either the user credentials are bind together by the RH and the user has to demonstrate the entire credentials to RP, or the amount of expensive cryptographic computations goes linear with the number of credentials demonstrated. Thus, none achieves fine-grained anonymity and constant expensive computation.
In addition, with the traditional schemes, the only way for revoking one access right of a user is to revoke the entire access rights of the user, that is, invalidate all the credentials of the user and then reissue new credentials to the user, as shown in FIG. 17. Thus, none achieves fine-grained revocability.