Revocation for direct anonymous attestation

US 8,499,149 B2
Filed: 02/19/2009
Issued: 07/30/2013
Est. Priority Date: 02/20/2008
Status: Active Grant

First Claim

Patent Images

1. A cryptographic method in which an Issuer, on assessing a Signer as a currently legitimate member of a group associated with a public/private key pair of the Issuer, uses a disguised secret of the Signer and the group-associated private key to generate a credential, in the form of a signature of the Signer'"'"'s secret, which the Issuer provides to the Signer as an Issuer attestation of the Signer'"'"'s group membership, the Signer subsequently keeping the credential as a secret and using a signature proof of knowledge to prove, on the basis of the group-associated public key, its possession of the credential to a Verifier without the identity of the Signer being revealed;

the method comprising the Issuer, acting through Issuer computing apparatus, at intervals;

updating at least the public key of the public/private key pair associated with the group, andeffecting a complementary updating to the Signer'"'"'s credential to take account of the updating of the group-associated key pair unless the Signer has ceased to be a legitimate group member;

a non-updated credential being inadequate to enable the Signer to prove its credential possession to a Verifier on the basis of the updated Issuer public key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Direct Anonymous Attestation involves a Signer using a credential supplied by an Issuer to anonymously prove to a Verifier, on the basis of a public key of the Issuer, the Issuer'"'"'s attestation to the Signer'"'"'s membership of a particular group. To facilitate membership revocation, the Issuer updates the public key at intervals, and also effects a complementary updating to the Signer'"'"'s credential unless the Signer has ceased to be a legitimate group member. A non-updated credential is inadequate to enable the Signer to prove its Issuer attested group membership to a Verifier on the basis of the updated Issuer public key.

Citations

15 Claims

1. A cryptographic method in which an Issuer, on assessing a Signer as a currently legitimate member of a group associated with a public/private key pair of the Issuer, uses a disguised secret of the Signer and the group-associated private key to generate a credential, in the form of a signature of the Signer'"'"'s secret, which the Issuer provides to the Signer as an Issuer attestation of the Signer'"'"'s group membership, the Signer subsequently keeping the credential as a secret and using a signature proof of knowledge to prove, on the basis of the group-associated public key, its possession of the credential to a Verifier without the identity of the Signer being revealed;
- the method comprising the Issuer, acting through Issuer computing apparatus, at intervals;
  
  updating at least the public key of the public/private key pair associated with the group, andeffecting a complementary updating to the Signer'"'"'s credential to take account of the updating of the group-associated key pair unless the Signer has ceased to be a legitimate group member;
  
  a non-updated credential being inadequate to enable the Signer to prove its credential possession to a Verifier on the basis of the updated Issuer public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A cryptographic method according to claim 1, wherein the method is bilinear-map based with the credential being a Camenisch-Lysyanskaya signature under the Lysyanskaya, Rivest, Sahai, and Wolf assumption, and the signing of the credential by the Signer providing a signature proof of knowledge in respect of at least the Signer'"'"'s secret.
  - 3. A cryptographic method according to claim 2, wherein the group-associated private key has elements x and y whose values are chosen at random, and the public element includes respective elements dependent on the values of x and y;
    - the updating of the public/private key pair comprising;
      
      updating the private key by one of;
      
      assigning a new random value to x but leaving y unchanged,assigning a new random value to y but leaving x unchanged,assigning respective new random values to both x and y; and
      
      updating any element of the public key that is dependent on the value of an updated element of the private key.
  - 4. A cryptographic method according to claim 2, wherein the group-associated private key has elements x and y whose values are chosen at random, the public element includes respective elements dependent on the values of x and y, and the credential is of the form (a,b=a^y, c=a^x+fxy) where ‘
    - a’
      
      is a value chosen at random, and ‘
      
      f’
      
      is the Signer'"'"'s secret;
      
      updating of the private key being effected by assigning a new random value x″
      
      to x but leaving y unchanged, updating of the public key being effected by updating the public-key element X that is dependent on private-key element x to reflect the updated value x″
      
      of element x, and updating of the credential being effected by updating an element c only of the credential.
  - 5. A cryptographic method according to claim 4, wherein:
    - an updated value X″
      
      of the public-key element X is computed as;
      
      (the value of X prior to updating)^βan updated value c″
      
      of the credential element c is computed as;
      
      (the value of c prior to updating)^βwhere β
      
      =x″
      
      /(the value of x prior to updating).
  - 6. A cryptographic method according to claim 1, wherein the method is RSA based with the credential being a Camenisch-Lysyanskaya signature under the strong RSA assumption, and the signing of the credential by the Signer providing a signature proof of knowledge in respect of at least the Signer'"'"'s secret.
  - 7. A cryptographic method according to claim 6, wherein the group-associated public key has random elements R₀, R₁, S, Z, and modulus n, the credential includes an element A computed by the Issuer as
  - 8. A cryptographic method according to claim 1, wherein said intervals are regular intervals.
  - 9. A cryptographic method according to claim 1, wherein after updating of the credential, the credential is made available to the Signer by being placed in a list of updated credentials maintained by the Issuer.
  - 10. A cryptographic method according to claim 1, wherein the updated credential is placed in said list in encrypted form such as to be decryptable only by the Signer.
  - 11. A cryptographic method according to claim 1, wherein after updating of the credential, the credential is made available to the Signer by being passed by the Issuer to the Signer over a secure authenticated channel.

12. A cryptographic method comprising:
- an initial set up phase in which an Issuer, responsible for membership of a group, generates a private key and a corresponding public key;
  
  a join phase in which a Signer generates a secret and provides the secret in disguised form to the Issuer which, on assessing the Signer as a currently legitimate group member, uses the disguised secret and the private key to generate a credential, in the form of a Camenisch-Lysyanskaya signature of the Signer'"'"'s secret, serving as an Issuer attestation to the Signer'"'"'s group membership, the credential being returned to the Signer; and
  
  sign and verify phases in which the Signer keeps the credential as a secret and uses a signature proof of knowledge to prove to a Verifier, on the basis of the group-associated public key, Signer'"'"'s possession of the credential, and thus Issuer-attested group membership, without the identity of the Signer being revealed;
  
  the Issuer, Signer, and Verifier each acting through a corresponding computing apparatus;
  
  the method further comprising, at intervals, the Issuer;
  
  updating its private and public keys,effecting a complementary updating to the Signer'"'"'s credential to take account of the updating of the Issuer'"'"'s private key unless the Signer has ceased to be a legitimate group member, a non-updated credential being inadequate to enable the Signer to prove its Issuer attested group membership to a Verifier on the basis of the updated Issuer public key.

13. A cryptographic system comprising an Issuer computing apparatus, a Signer computing apparatus comprising, or associated with, a Signer, and a Verifier computing apparatus, wherein:
- the Issuer computing apparatus, on the Signer being assessed as a currently legitimate member of a group associated with a public/private key pair of the Issuer computing apparatus, being arranged to use a disguised secret of the Signer computing apparatus and the group-associated private key to generate a credential, in the form of a signature on the secret of the Signer computing apparatus;
  
  the Signer computing apparatus being arranged to store the credential as a secret and use a signature proof of knowledge to prove to the Verifier computing apparatus, on the basis of the group-associated public key, Signer'"'"'s possession of the credential, and thus Issuer-attested group membership, without the identity of the Signer being revealed;
  
  the Issuer computing apparatus being arranged to effect, at intervals, an updating of at least the public key of the public/private key pair associated with the group, and a complementary updating to the credential to take account of the updating of the group-associated key pair unless the Signer has ceased to be a legitimate group member;
  
  a non-updated credential being inadequate to enable the Signer to prove its attested group membership to the Verifier computing apparatus on the basis of the updated Issuer public key.
- View Dependent Claims (14, 15)
- - 14. A cryptographic system according to claim 13, wherein the credential is a Camenisch-Lysyanskaya signature under the Lysyanskaya, Rivest, Sahai, and Wolf assumption, and the signing of the credential by the Signer computing apparatus provides a signature proof of knowledge in respect of at least the Signer'"'"'s secret.
  - 15. A cryptographic system according to claim 13, wherein the credential is a Camenisch-Lysyanskaya signature under the strong RSA assumption, and the signing of the credential by the Signer computing apparatus provides a signature proof of knowledge in respect of at least the Signer'"'"'s secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Chen, Liqun
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US12/378,996
Publication Number

US 20090210705A1
Time in Patent Office

1,622 Days
Field of Search

713/158
US Class Current

713/158
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 9/0891   Revocation or update of sec...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3247   involving digital signatures

Revocation for direct anonymous attestation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Revocation for direct anonymous attestation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links