Revocation for direct anonymous attestation
First Claim
1. A cryptographic method in which an Issuer, on assessing a Signer as a currently legitimate member of a group associated with a public/private key pair of the Issuer, uses a disguised secret of the Signer and the group-associated private key to generate a credential, in the form of a signature of the Signer'"'"'s secret, which the Issuer provides to the Signer as an Issuer attestation of the Signer'"'"'s group membership, the Signer subsequently keeping the credential as a secret and using a signature proof of knowledge to prove, on the basis of the group-associated public key, its possession of the credential to a Verifier without the identity of the Signer being revealed;
- the method comprising the Issuer, acting through Issuer computing apparatus, at intervals;
updating at least the public key of the public/private key pair associated with the group, andeffecting a complementary updating to the Signer'"'"'s credential to take account of the updating of the group-associated key pair unless the Signer has ceased to be a legitimate group member;
a non-updated credential being inadequate to enable the Signer to prove its credential possession to a Verifier on the basis of the updated Issuer public key.
1 Assignment
0 Petitions
Accused Products
Abstract
Direct Anonymous Attestation involves a Signer using a credential supplied by an Issuer to anonymously prove to a Verifier, on the basis of a public key of the Issuer, the Issuer'"'"'s attestation to the Signer'"'"'s membership of a particular group. To facilitate membership revocation, the Issuer updates the public key at intervals, and also effects a complementary updating to the Signer'"'"'s credential unless the Signer has ceased to be a legitimate group member. A non-updated credential is inadequate to enable the Signer to prove its Issuer attested group membership to a Verifier on the basis of the updated Issuer public key.
-
Citations
15 Claims
-
1. A cryptographic method in which an Issuer, on assessing a Signer as a currently legitimate member of a group associated with a public/private key pair of the Issuer, uses a disguised secret of the Signer and the group-associated private key to generate a credential, in the form of a signature of the Signer'"'"'s secret, which the Issuer provides to the Signer as an Issuer attestation of the Signer'"'"'s group membership, the Signer subsequently keeping the credential as a secret and using a signature proof of knowledge to prove, on the basis of the group-associated public key, its possession of the credential to a Verifier without the identity of the Signer being revealed;
- the method comprising the Issuer, acting through Issuer computing apparatus, at intervals;
updating at least the public key of the public/private key pair associated with the group, and effecting a complementary updating to the Signer'"'"'s credential to take account of the updating of the group-associated key pair unless the Signer has ceased to be a legitimate group member; a non-updated credential being inadequate to enable the Signer to prove its credential possession to a Verifier on the basis of the updated Issuer public key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- the method comprising the Issuer, acting through Issuer computing apparatus, at intervals;
-
12. A cryptographic method comprising:
-
an initial set up phase in which an Issuer, responsible for membership of a group, generates a private key and a corresponding public key; a join phase in which a Signer generates a secret and provides the secret in disguised form to the Issuer which, on assessing the Signer as a currently legitimate group member, uses the disguised secret and the private key to generate a credential, in the form of a Camenisch-Lysyanskaya signature of the Signer'"'"'s secret, serving as an Issuer attestation to the Signer'"'"'s group membership, the credential being returned to the Signer; and sign and verify phases in which the Signer keeps the credential as a secret and uses a signature proof of knowledge to prove to a Verifier, on the basis of the group-associated public key, Signer'"'"'s possession of the credential, and thus Issuer-attested group membership, without the identity of the Signer being revealed; the Issuer, Signer, and Verifier each acting through a corresponding computing apparatus;
the method further comprising, at intervals, the Issuer;updating its private and public keys, effecting a complementary updating to the Signer'"'"'s credential to take account of the updating of the Issuer'"'"'s private key unless the Signer has ceased to be a legitimate group member, a non-updated credential being inadequate to enable the Signer to prove its Issuer attested group membership to a Verifier on the basis of the updated Issuer public key.
-
-
13. A cryptographic system comprising an Issuer computing apparatus, a Signer computing apparatus comprising, or associated with, a Signer, and a Verifier computing apparatus, wherein:
-
the Issuer computing apparatus, on the Signer being assessed as a currently legitimate member of a group associated with a public/private key pair of the Issuer computing apparatus, being arranged to use a disguised secret of the Signer computing apparatus and the group-associated private key to generate a credential, in the form of a signature on the secret of the Signer computing apparatus; the Signer computing apparatus being arranged to store the credential as a secret and use a signature proof of knowledge to prove to the Verifier computing apparatus, on the basis of the group-associated public key, Signer'"'"'s possession of the credential, and thus Issuer-attested group membership, without the identity of the Signer being revealed; the Issuer computing apparatus being arranged to effect, at intervals, an updating of at least the public key of the public/private key pair associated with the group, and a complementary updating to the credential to take account of the updating of the group-associated key pair unless the Signer has ceased to be a legitimate group member;
a non-updated credential being inadequate to enable the Signer to prove its attested group membership to the Verifier computing apparatus on the basis of the updated Issuer public key. - View Dependent Claims (14, 15)
-
Specification