Introducing proxy zero-knowledge proof and utilization in anonymous credential systems

12
RESEARCH ARTICLE Introducing proxy zero-knowledge proof and utilization in anonymous credential systems Hoda Jannati 1 * , Mahmoud Salmasizadeh 2 , Javad Mohajeri 2 and Amir Moradi 3 1 School of Electrical Engineering, Sharif University of Technology, Tehran, Iran 2 Electronics Research Center, Sharif University of Technology, Tehran, Iran 3 Horst Görtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany ABSTRACT In pseudonym systems, users by means of pseudonyms anonymously interact with organizations to obtain credentials. The creden- tial scheme constructed by Lysyanskaya and Camenisch is among the most complete credential systems, in which all-or-nothingsharing scheme is used to prevent users sharing their credentials. If a user cannot directly show a credential issued by an organization, she or he has to give her or his own secret key to someone else as a proxy; afterward, the proxy can show the credential on behalf of the user. Thus, according to the all-or-nothing property of the system, having the users secret key, the proxy can use all credentials of the user for itself. To solve this problem, in this paper, we present proxy zero-knowledge proof and utilize it in Lysyanskaya and Camenisch anonymous credential system. In our proposed system, instead of giving the secret key to the proxy, the user generates a proxy key based on the desired credential particularly for the proxy. Therefore, the proxy neither is the owner of the users credential nor uses his or her other credentials. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS credential system; pseudonym system; proxy signature; zero-knowledge proof *Correspondence Hoda Jannati, School of Electrical Engineering, Sharif University of Technology, Tehran, Iran. E-mail: [email protected] 1. INTRODUCTION 1.1. Motivation Maintaining user anonymity is desirable in a variety of electronic commerce applications. Recently, many new techniques have been developed to provide privacy protec- tion. One of those is the anonymous credential system, the so-called pseudonym system. By increasing digitization of the society and continuous migration of day-to-day services from the paper world to the digital world, digital credentials have become very important and popular tools in various e-services such as e-commerce, e-government, e-health, and e-learning; straightforwardly, there is a growing interest in concrete implementations [8,24]. Therefore, they are becom- ing a part of everyday life simultaneously with the Internet, which can be seen as an information infrastructure for every subject and many application domains. In pseudonym systems, users interact anonymously with any organization using a pseudonym, obtain creden- tials based on the pseudonym, and demonstrate possession of these credentials to other organizations using other pseudonyms. 1.2. Related works In 1985, Chaum [2] introduced the concept of anonymous credential systems. Afterward, a number of anonymous credential systems have been proposed [35,15,17,25]. The credential scheme constructed by Lysyanskaya and Camenisch [15] is one of todays most complete credential systems, for example, identity mixer [8]. The basic version of this system consists of four actions as follows: (1) Key generation. (2) Generation of a pseudonym for an organization. (3) Obtaining a credential from the organization. (4) Showing the credential to another organization by another pseudonym. In this system, organizations cannot obtain information about the identity of the users by means of the pseudonyms (anonymity). Organizations can link neither two different pseudonyms nor different credentials to each other (unlinkable pseudonyms or credentials). It is impossible to forge a creden- tial by a user, even if users and other organizations conspire (unforgeable credentials). Also, users are discouraged from SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2012) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.543 Copyright © 2012 John Wiley & Sons, Ltd.

Transcript of Introducing proxy zero-knowledge proof and utilization in anonymous credential systems

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks (2012)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.543

RESEARCH ARTICLE

Introducing proxy zero-knowledge proof and utilizationin anonymous credential systemsHoda Jannati1*, Mahmoud Salmasizadeh2, Javad Mohajeri2 and Amir Moradi3

1 School of Electrical Engineering, Sharif University of Technology, Tehran, Iran2 Electronics Research Center, Sharif University of Technology, Tehran, Iran3 Horst Görtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany

ABSTRACT

In pseudonym systems, users bymeans of pseudonyms anonymously interact with organizations to obtain credentials. The creden-tial scheme constructed by Lysyanskaya and Camenisch is among themost complete credential systems, in which “all-or-nothing”sharing scheme is used to prevent users sharing their credentials. If a user cannot directly show a credential issued by anorganization, she or he has to give her or his own secret key to someone else as a proxy; afterward, the proxy can show thecredential on behalf of the user. Thus, according to the all-or-nothing property of the system, having the user’s secret key, the proxycan use all credentials of the user for itself. To solve this problem, in this paper, we present proxy zero-knowledge proof and utilizeit in Lysyanskaya and Camenisch anonymous credential system. In our proposed system, instead of giving the secret key to theproxy, the user generates a proxy key based on the desired credential particularly for the proxy. Therefore, the proxy neither isthe owner of the user’s credential nor uses his or her other credentials. Copyright © 2012 John Wiley & Sons, Ltd.

KEYWORDS

credential system; pseudonym system; proxy signature; zero-knowledge proof

*Correspondence

Hoda Jannati, School of Electrical Engineering, Sharif University of Technology, Tehran, Iran.E-mail: [email protected]

1. INTRODUCTION

1.1. Motivation

Maintaining user anonymity is desirable in a variety ofelectronic commerce applications. Recently, many newtechniques have been developed to provide privacy protec-tion. One of those is the anonymous credential system, theso-called pseudonym system. By increasing digitization ofthe society and continuous migration of day-to-day servicesfrom the paper world to the digital world, digital credentialshave become very important and popular tools in variouse-services such as e-commerce, e-government, e-health, ande-learning; straightforwardly, there is a growing interest inconcrete implementations [8,24]. Therefore, they are becom-ing a part of everyday life simultaneously with the Internet,which can be seen as an information infrastructure for everysubject and many application domains.

In pseudonym systems, users interact anonymouslywith any organization using a pseudonym, obtain creden-tials based on the pseudonym, and demonstrate possessionof these credentials to other organizations using otherpseudonyms.

Copyright © 2012 John Wiley & Sons, Ltd.

1.2. Related works

In 1985, Chaum [2] introduced the concept of anonymouscredential systems. Afterward, a number of anonymouscredential systems have been proposed [3–5,15,17,25].The credential scheme constructed by Lysyanskaya andCamenisch [15] is one of today’s most complete credentialsystems, for example, identity mixer [8]. The basic versionof this system consists of four actions as follows:

(1) Key generation.(2) Generation of a pseudonym for an organization.(3) Obtaining a credential from the organization.(4) Showing the credential to another organization by

another pseudonym.

In this system, organizations cannot obtain informationabout the identity of the users by means of the pseudonyms(anonymity). Organizations can link neither two differentpseudonyms nor different credentials to each other (unlinkablepseudonyms or credentials). It is impossible to forge a creden-tial by a user, even if users and other organizations conspire(unforgeable credentials). Also, users are discouraged from

Proxy zero-knowledge proof H. Jannati et al.

sharing their pseudonyms and credentials with each other(nontransferable credential). In this system, in order to preventusers to share their credentials, the all-or-nothing sharingscheme is used. In other words, if someone lets a friend useone of its credentials, this in fact gives him the ability to useall of its credentials.

Sometimes, it is not possible for a user to show posses-sion of a credential to an organization. Because in thesesystems, users use their secret keys to show credentials toorganizations, if a user (traditionally Alice) cannot showpossession of a credential to an organization, she has togive her secret key to another one (traditionally Bob) as aproxy who so can do it on behalf of her. However, accord-ing to the all-or-nothing property of the system, Bob, usingAlice’s secret key, can (i) be the owner of Alice’s creden-tial, (ii) access other credentials of Alice, and (iii) use allcredentials of Alice for himself.

Such an extension is motivated by the observation inpractice; it is quite common that other people instead of apatient collect the prescribed medicines on behalf of her.They may be custodians, relatives, or friends who accom-pany her to visit a doctor. By giving the patient’s secretkey to a proxy to collect the medicines, he can access thepatient’s private electronic medical records and even more.Therefore, this problem should be reviewed as a key factorin quality and privacy of e-health services.

To solve this problem, we need a scheme where insteadof giving the secret key to someone else, a proxy key istransferred.

The concept of the proxy signatures, which are used whenthe original signer is not available to sign a specific document,has been introduced by Mambo et al. [21,22]. Moreover,several application schemes [10,13,14,16,19,20,26] have beenintroduced based on its concept. In this scheme, a user, whichis called an original signer, delegates its signing capability toanother user, which is called a proxy signer.

1.3. Our contribution

In this paper, we combine zero-knowledge proof and proxysignature to propose a new scheme, namely, proxy zero-knowledge proof (PZKP). Then, it is shown how to usePZKP in Lysyanskaya and Camenisch credential systemand solve the problem described. In this scheme, a user,the original prover, delegates the ability of proving itssecret key to another user called the proxy prover. In ourproposed anonymous credential system, the proxy proverneither can be the owner of the original prover’s creden-tials nor can use other credentials of the original prover;also, he is not able to discover the pseudonym of theoriginal prover with any organization.

1.4. Organization

The remainder of this paper is organized as follows: InSection 2, the concept of PZKP is described. In Section 3,two schemes using PZKP concept are proposed. Then, afunctional description of an anonymous credential system,

which is provided by PZKP scheme, is illustrated inSection 4 and discussed specifically for a Lysyanskaya andCamenisch anonymous credential system in Section 5.Finally, we summarize our research in Section 6.

2. PROXY ZERO-KNOWLEDGEPROOF

Zero-knowledge proof protocols are cryptographic proto-cols that do not reveal information or secrets by themselvesor to any eavesdropper during the execution of the proto-col. In a special case of it, a prover proves having theprivate key related to a public key to a verifier withoutrevealing its private key. For more details, see Ref. [12].Sometimes, it is not possible for a user to prove knowledgeof its private key itself [21,22]. Hence, she, the originalprover, should delegate the capability of proving herprivate key to another person, called proxy prover, withoutgiving him her secret key. To achieve this, we combineproxy signature with zero-knowledge proof and proposea scheme, namely, PZKP. Therefore, a PZKP can bedefined in two phases as follows:

(1) Proxy generation; In this phase, the original provergenerates a PZKP key using its private key for theproxy prover. Then, the proxy prover obtains a proxykey using its private key and the generated PZKP key.

(2) Zero-knowledge proving; In this phase, the verifierbegins a challenge/response interaction with theproxy prover to find out whether the proxy proverknows the proxy key of the original prover.

2.1. Proxy zero-knowledge proof schemesand their desirable properties

According to the will of the original prover concerningtransferring a PZKP key to other one, two different kindsof PZKP are designed: weak PZKP and strong PZKP. Inweak PZKP, the proxy prover can transfer the capabilityof proving the original prover’s secret key to any otherone; that is, the proxy prover can transfer the receivedPZKP key to another proxy, but in strong PZKP, the proxyprover is not permitted by the original prover to transfer thecapability of proving her secret key to someone else.

As an example, consider a patient who is not able tocollect the required medicines. If the patient does not mindwho collects the prescribed medicines on behalf of her,the patient’s proxy can delegate the capability of collectingthe medicines to someone else. The patient hence can usethe weak type of PZKP to interact with the proxy. Incontrast, assume that the head officer of an organizationor a company is not available for a time. She wants todelegate some of her duties to only one person, forexample, an office assistant. Therefore, the head officermust use the strong type of PZKP to prevent the officeassistant transferring the obtained capability to anyone else.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Proxy zero-knowledge proofH. Jannati et al.

Both schemes, weak and strong PZKP, should have thefollowing properties:

• Strong unforgeability:

• STtp

•Aktp

Table

Prope

StrongStrongDistinTransfproxy

SecuritDOI: 1

a) Only the original prover can generate a validPZKP key; even the proxy prover cannot gener-ate another PZKP key based on the received one.

b) Only the proxy prover (proxy provers) can proveknowledge of the secret key of the original proverin such a PZKP scheme; even the original provercannot do it.

trong undeniability:he original prover cannot repudiate a previous delega-ion of capability of proving her private key to a proxyrover.

Distinguishability:PZKP must be distinguishable from a normal zero-

nowledge proof. It means that a verifier should havehe ability to recognize that the secret key has beenroven by the proxy prover or the original prover.

The properties of weak and strong PZKP schemes aresummarized in Table I.

3. KINDS OF PROXY ZERO-KNOWLEDGE PROOF SCHEMES

In this section, we propose two kinds of PZKP scheme,weak and strong, based on Li–Wang proxy blind signaturescheme [19] and Schnorr identification protocol [23]whose security depends on the discrete logarithm problem.We assume that each user has a pair of private and publickeys and a certificate of it. The public system parametersconsist of a large prime number p, a large prime factor q

I. Comparison of the properties of weak and strong PZKP.

rties Weak PZKP Strong PZKP

unforgeability Yes Yesundeniability Yes Yes

guishability Yes Yeserable PZKP key by theprover

Yes No

Figure 1. Proxy generation p

y Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.0.1002/sec

of p�1, and an element g in group Z�p with prime order q

in which G=< g> is a group of prime order q in whichthe discrete logarithm problem is practically intractable.

To describe our scheme, we use the following notations:

• U, P, and V: the original prover, the proxy prover, andthe verifier, respectively,

• yu: the public key of U where yu ¼ gxu mod p and0< xu< q is the private key of U,

• yp: the public key of P where yp ¼ gxp mod p and0< xp< q is the private key of P,

• H(�): a secure one-way hash function,• mw: a parameter that contains condition and durationof proxy,

• ∥: the operation of concatenation,• ∥X∥: the number of elements of the set X (the cardinal-ity of the set X)

3.1. Weak proxy zero-knowledge proofscheme

As described, two phases are defined in each scheme andare shown in Figures 1 and 2, respectively:

(1) Proxy generation phase:• U randomly choosesko 2 Z�

q ; ko 6¼ 1and computes

hase

ro and PZKP key ; x′pr; according to Equations (1)and (2). Finally, she sends x′pr;mw; ro

� �to the proxy

prover, P, in a secure way.

ro ¼ gko mod p (1)

x′pr ¼ xu þ ko�H yu∥ro∥mwð Þmod q (2)

• P after receiving x′pr computes the proxy key asfollows:

xpr ¼ x′pr þ xpmod q: (3)

Then, he checks its correctness using Equation (4).

ypr ¼ gxpr ¼? yu�yp�rH yu∥ro∥mwð Þo mod p (4)

If (xpr, ro,mw) satisfies Equation (4), P accepts xpras a proxy key.

of PZKP scheme.

(2)

Figure 2. Zero-knowledge proving phase of PZKP scheme.

Proxy zero-knowledge proof H. Jannati et al.

Zero-knowledge proving phase:• P chooses a random number k1 2 Z�

q ; k1 6¼ 1 and

computes r as follows:

r ¼ gk1 mod p (5)

Then, P sends (ypr,mw, ro, r) to V.• V sends a challenge of c 2 Z�

q to P.• P computes t= k1 + c � xprmod q and sends to V.• V checks the validity of Equations (6) and (7).

gt ¼? r� ypr� �c

mod p (6)

ypr ¼? yu�yp�rH yu∥ro∥mwð Þo mod p (7)

If so, V accepts P as a valid proxy prover on behalfof U; otherwise, P is an invalid proxy prover.

As described previously, in this scheme, the proxy provercan transfer the capability of proving the secret key of theoriginal prover to another one. To achieve this, the proxyprover can send x′pr;mw; ro

� �to the next proxy prover.

3.2. Security consideration of weak proxyzero-knowledge proof scheme

In this section, we investigate the proposed PZKP scheme.The security of this scheme is based on Li–Wang proxyblind signature and Schnorr identification protocol. Weshow that this scheme satisfies all the security requirementsdefined in Section 2.1

• Strong unforgeability:a) “Nobody can generate a valid PZKP key except the

original prover.” Suppose that one, for example, theproxy prover, tries to forge a PZKP key. From

Equation (2), we see that the PZKP key includesthe secret key xu of the original prover, which isclearly unknown to the others. Therefore, the secretkey of the original prover must be extracted fromEquation (2). Because ko is a random element ofZ�q , it is difficult to derive the value of xu. To find

ko from ro, we need to solve the discrete logarithmproblem or guess it with at most a probability ofq� 1.The proxy generation phase of our proposed schemeis based on Li–Wang proxy key generation phase.Therefore, the security of this phase is linked to thatof their scheme. For more details, see Ref. [19]where the security of Li–Wang proxy blind signa-ture scheme is proven.

b) “Nobody can create a valid PZKP except the proxyprover.” In our proposed scheme, zero-knowledgeproving phase is based on Schnorr identificationprotocol. Thus, a forger can prove instead of theproxy prover if and only if she can break theSchnorr identification protocol or have xpr. Note thatif someone tries to find xpr from ypr again, it isneeded to solve the discrete logarithm problem.The original prover has x′pr; ro

� �, but she cannot ob-

tain xpr because xpr ¼ x′pr þ xp mod q and xp isunknown to her. She can obtain them properly byguessing with at most a probability of q� 1.

As a result, the strong unforgeability is satisfied with aprobability of q� 1.

Strong undeniability:“U cannot repudiate the delegation of capability ofproving her secret key to a proxy prover.” Forexecuting a correct PZKP, Equation (7) must be satis-fied. This equation includes the public key yu of the

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Proxy zero-knowledge proofH. Jannati et al.

SecuritDOI: 1

original prover. So, this equation is correct ifx′pr is gen-erated based on the private key ofU. It has been provenin part (a) of strong unforgeability that only U cangenerate the PZKP key x′pr . Therefore, the originalprover U cannot repudiate generating the PZKPkey x′pr for the proxy prover.

Distinguishability:Obviously, the verifier can easily distinguish theoriginal prover’s zero-knowledge proving fromproxy provers because they use different keys, thatis, (xu, yu) for U and (xpr, ypr) for P, and they donot access each other’s secret key.

2.

3.3. Strong proxy zero-knowledge proofscheme

In this kind of PZKP, it is important for an original proverthat the proxy prover cannot transfer the capability ofproving her secret key to someone else. Therefore, we haveto insert some information of the proxy prover in the proxygeneration phase. As a solution, the original prover can addyp to mw. Thus, P cannot transfer the generated PZKP keyto the others. Suppose that a proxy prover is going totransfer a PZKP key generated using mw1, x′pr ¼xu þ ko�H yu∥ro∥mw1ð Þmod q , to other proxy prover thathas yp2 and xp2 as its public and private keys, respectively.Thus, he has to modify the PZKP key in order to show thatit has been generated using mw2. However, P do not knowxu and ko. Therefore, for correcting Equation (7), P must usethe same x′pr. Therefore, ypr2 is computed using Equation (8).

ypr2 ¼ gxpr2 ¼ gx′prþxp2 ¼ yu�yp2�roH yu∥ro∥mw1ð Þ mod p (8)

However, according to Equation (7), we should have thefollowing:

ypr2 ¼ yu�yp2�r′oH yu∥r′o∥mw2ð Þmod p (9)

Therefore, to find r′o correctly, Equations (8) and (9) mustbe the same:

yu�yp2�roH yu∥ro∥mw1ð Þ mod p ¼ yu�yp2�r′oH yu∥r′o∥mw2ð Þ mod p

⇒ roH yu∥ro∥mw1ð Þ mod p ¼ r′oH yu∥r′o∥mw2ð Þ mod p

(10)

Thus,r′omust satisfy Equation (10). However, it is compu-tationally infeasible, because r′o contributes to the hash pad-ding too.

3.4. Extension to more secret keys

The proposed PZKP scheme can be easily extended toan l secret key version. In this section, for simplicity, aPZKP scheme with two private keys is presented. In

y Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.0.1002/sec

addition to Li–Wang proxy blind signature, this schememakes use of Chaum–Pedersen identification protocol[6]. Let G=< g1>=< g2> be a group of prime order qand yu and yp be in the form of yu ¼ g1xu1 �g2xu2 mod pand yp ¼ g1xp1 �g2xp2 mod p . This means that each user(the original prover and the proxy prover) has a pair of(x1, x2) as a secret key. Then, each phase of PZKP schemeis defined as follows:

1. Proxy generation phase:

• U randomly chooses ko1; ko2 2 Z�

q ; ko1; ko2 6¼ 1 ,computes Equations (11) to (13), and sendsx′pr1; x′pr2; ro;mw

� �to P in a secure way.

ro ¼ g1ko1 �g2ko2 mod p (11)

x′pr1 ¼ xu1 þ ko1�H yu∥ro∥mwð Þmod q (12)

x′pr2 ¼ xu2 þ ko2�H yu∥ro∥mwð Þmod q (13)

• P computes the proxy keys as

xpr1 ¼ x′pr1 þ xp1 mod q (14)

xpr2 ¼ x′pr2 þ xp2 mod q (15)

then checks their correctness using Equation (16).

ypr ¼ g1xpr1 �g2xpr2 ¼? yu�yp�roH yu∥ro∥mwð Þ mod p

(16)

If (xpr1, xpr2, ro,mw) satisfies Equation (16), (xpr1,xpr2) is accepted as a valid proxy key.

Zero-knowledge proving phase:• P chooses two random numbers k1; k2 2Z�q ; k1; k2 6¼ 1 and computes the following:

r ¼ g1k1 �g2k2 mod p (17)

Then P sends (r, ypr, ro,mw) to V.

• V sends a challenge of c 2 Z�q to P.

• Using Equations (18) and (19), P computes(t1, t2) and sends it to V.

t1 ¼ k1 þ c�xpr1 mod q (18)

t2 ¼ k2 þ c�xpr2 mod q (19)

• V checks g1t1�g2t2 ¼? r� ypr� �c¼? r� yu�yp�roH yu∥ro∥mwð Þ� �c

mod p. If so, V accepts P as a valid proxy prover onbehalf of U.

Clearly, the scheme illustrated previously to use twosecret keys can be extended to generally use l privatekeys.

Proxy zero-knowledge proof H. Jannati et al.

4. APPLYING PROXY ZERO-KNOWLEDGE PROOF INANONYMOUS CREDENTIALSYSTEMS

Suppose that a user needs to obtain a credential from anorganization and proves the possession of it to a verifier.In this section, we define an anonymous credential systemwhere the user, U, can transfer its credential to anotheruser, P, in such a way that P can prove the possession ofthe transferred credential for an organization, but he neitheris the owner of the user’s credential nor uses her othercredentials.

4.1. Basic actions

Our proposed credential system has original users (U),proxy users (P), organizations (O), and verifiers (V) asthe types of players. Original users generate pseudonymswith organizations and receive credentials. Proxy users,on behalf of the original users, prove the possession of acredential from an organization to a verifier. Then, verifierscheck the correctness of credentials and validity of theproxy users.

The basic version of our proposed scheme consists offive stages that are described as follows:

• SetUp: Users or organizations enter the system andselect their public and secret keys.

• GenNym (U,O): This stage is a session between auser U and an organization O. U contacts O with a re-quest to establish a pseudonym N between each other.

• GenCred (U,O,N): In this stage, O generates acredential C for U on the base of N.

• GenPrx (U,C): U selects a proxy user P in order todelegate the ability of proving possession of C to him.

• VerifyCred (P,V,C): This protocol is a sessionbetween P and a verifier V to check the correctnessof C and validity of P.

4.2. Properties of our system

In an anonymous credential system, user privacy is pro-vided, and organizations cannot obtain information aboutthe identity of the users from the pseudonyms (anonymity).Organizations can neither link two different pseudonymsor credentials of the same user to each other (unlinkablepseudonyms or credentials). It is impossible for a user toforge a credential that should be generated by an organiza-tion, even if the user and other organizations team up(unforgeable credentials). Also, users discourage fromsharing their pseudonyms and credentials with one another(nontransferable credential) [15]. In addition to theseessential properties of an anonymous credential system,our scheme should have the following properties:

• Unlinkability: It should be impossible for a proxy userto discover the pseudonym of the original user with

organization O: Otherwise, the proxy user can linkthe activities of the original user if he teams up withO.

• Unforgeability:. Only the original user can delegatethe capability of proving possession of her credentialsto others.

• Undeniability: The original user cannot repudiate thedelegation of her credential possession to the proxyuser.

• Nontranslatability: Proxy users cannot be the ownerof original users’ credentials. They can only provepossession of the credentials on behalf of the originalusers.

• Only one-credential: A proxy user only can provethe possession of the transferred credential for anorganization, but he cannot use other credentials ofthe original user.

• Distinguishability: A proof that has been done by aproxy user must be distinguishable from a case thatthe original user proves possession of a credential.

5. APPLYING PROXY ZERO-KNOWLEDGE PROOF INLYSYANSKAYA AND CAMENISCHCREDENTIAL SYSTEM

In this section, we propose an anonymous credentialsystem that is based on Lysyanskaya and Camenischcredential system [15], which is among the well-knowncredential systems. In the following, we begin with anoverview of our scheme notation and system parameters,and then our proposed scheme is described in five stagesand shown in Figures 3 to 7.

5.1. Protocol notation

Camenisch and Stadler [7] have introduced a notation forzero-knowledge proofs of knowledge. This notation helpsus to clarify the protocols given in the next sections. Asdescribed in Ref. [18], the notation is explained by anexample: a proof of knowledge, denoted by

PK a; bð Þ : y2 ¼ g2� �a

mod n∧z2 ¼ g2� �b� h2� �a

mod n∧a 2 An o

means a zero-knowledge proof of knowledge of thediscrete logarithm of y to the base g and of a representationof z to the bases g and h, and additionally, the discretelogarithm of the h part of the representation has to be equalto the discrete logarithm of y to the base g [9] and has to bein the interval A [1].

5.2. System parameters

When initializing the system, a central party has to chooseappropriate values for the parameters ln, le, lx, lk, ls, and lz.Also, it selects a secure one-way hash function with outputlength of lx bits. The security of the system depends on the

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Figure 4. Obtaining a credential from an organization (GenCred (U,O,N)).

Figure 3. Establishing a pseudonym with an organization (GenNym (U,O)).

Figure 5. Delegate a credential to a proxy user (GenPrx (U,P,C)).

Proxy zero-knowledge proofH. Jannati et al.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Figure 6. Showing a credential to a verifier by original user (VerifyCred (U,V,C)).

Figure 7. Showing a credential to a verifier by proxy user (VerifyCred (P,V,C)).

Proxy zero-knowledge proof H. Jannati et al.

choice of these parameters. lz = lx + lk+ 1, le= lz+ 2, and ls=e � (lz+ ln) + 2 where e> 1 is a security parameter. Let theintervals X ¼ 0; 2lx

� �, S ¼ 0; 2ls

� �, E ¼ 2le�1; 2leþ1

� �, Z1 ¼

0; 2lz� �

, and Z2 ¼ 0; 2lsþ1� �

. The parameter le is chosen insuch a way that computing discrete logarithms in the groupof quadratic residues modulo no, that is, in QRno with le-bitexponents, is hard.

5.3. Entering the system

There are two main types of players in this system: (i) users(original users and proxy users) and (ii) organizations.When entering the system, an organization has to choosethe values of the secret and public keys. Also, if a userenters the system, it must choose a master key. In thefollowing, these phases are described by details.

SetUp:

Setup phase for an organization:

• O chooses randomly two ln2 -bit primes, p′ and q′,

where po= 2 � p′ + 1 and qo = 2 � q′+ 1 are the primes.Then, O sets modulus no= po � qo. Now, no is an ln-bitspecial RSA modulus with large factors.

• O chooses randomly ao, bo, do, go, fo, and ho amongthe elements of the group of quadratic residuesmodulo no, that is, in QRno [11].

• O publishes PKo = (no, ao, bo, do, go, fo, ho) as thepublic key and stores SKo = (po, qo) as a secret key.

Setup phase for a user:

• The original user U chooses a secret key xu 2 0; 2lx� �

.

5.4. Establishing a pseudonym with anorganization

Let userUwant to establish a pseudonymwith organizationO. After the execution of this stage,U obtains a pseudonymP(u, o) with organization O.

GenNym (U,O):

(1) U chooses values r12 S and r2; r3 2 0; 1f g2�ln andcomputes C1 ¼ gor1 �hor2 , C2 ¼ goxu �hor3 and sendsC1 and C2 to O.

(2) U proves to organization O that C1 and C2 areformed correctly by executing the following:

PK a;b; g; dð Þ : C21 ¼ g2o

� �a� h2o� �b∧C22 ¼ g2o

� �g� h2o� �dn o

(3) O randomly chooses r2 S and sends it to U.(4) U computes S u;oð Þ ¼ r1 þ rð Þmod 2ls � 1

� �þ 1 andpseudonym P u;oð Þ ¼ aoxu �boS u;oð Þ and sends P(u, o)

to O.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Proxy zero-knowledge proofH. Jannati et al.

(5) Now, U must show that P(u, o) has been formed

correctly. To that end, she computes ~S ¼ r1þrð Þ2ls�1ð Þ

� �,

chooses r4 2 0; 1f gln , sets C3 ¼ g~So�hr4o , and sendsC3 to O.

Furthermore, U proves to O that the values in step 4 havebeen chosen correctly by executing the following:

PKf a; b; g; d; e; z; n; xð Þ : C21 ¼ g2o

� �a� h2o� �b∧C22 ¼ g2o

� �g� h2o� �d∧C23 ¼ g2o

� �e� h2o� �z∧P2u;oð Þ ¼ a2o

� �g� b2o� �n∧C21 � g2o� �rþ1

C23

� �2ls�1¼ g2o

� �n� h2o� �x∧g 2 X∧n 2 Sg

(6) U stores P(u, o) and S(u, o).(7) O stores P(u, o).

5.5. Obtaining a credential from anorganization

In this stage, organizationO issues a credential to user U whoproves ownership of a previously established pseudonymP(u,o). The credential is a pair of c u;oð Þ; e u;oð Þ

� � 2Z�no� E.

GenCred (U,O,N):(1) U sends P(u, o) to O and authenticates herself as itsowner by executing the following:

PK a;bð Þ : P u;oð Þ2 ¼ a2o� �a� b2o� �bn o

(2) O makes sure that P(u, o) is in its database, then

chooses a random prime e(u, o)2E, computes c u;oð Þ ¼P u;oð Þ�do� � 1

e u;oð Þ mod no , sends c(u, o) and e(u, o) to U,and stores (c(u, o), e(u, o)).(3) U checks c u;oð Þe u;oð Þ ¼? P u;oð Þ�do mod no . If so, Ustores (c(u, o), e(u, o)) as a credential from organization O.

5.6. Delegate a credential to a proxy user

In this stage, by using our proposed PZKP scheme, theoriginal user U selects a proxy user P in order to delegate acredential to him. Then, P can prove, on behalf ofU, posses-sion of the credential from organization O to verifier V.

GenPrx (U,P,C):

(1) U chooses values k1; k2; k3 2 0; 2lk� �

; r′1; r′2 20; 1f g2�ln and computes:

P′u;oð Þ ¼ ao

xu �boS u;oð Þ �for′1 �e u;oð Þ mod no (20)

w1 ¼ aok1 �bok2 �fok3 �e u;oð Þ mod no (21)

c′ ¼ c u;oð Þ�hor′2 �for′1 mod no (22)

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Then, U computes the proxy keys of the credential(c(u, o), e(u, o)) as follows:

z1 ¼ xu þ k1�H c′jjw1� �

(23)

z2 ¼ S u;oð Þ þ k2�H c′� ��jw1Þ (24)

z3 ¼ r′1�e u;oð Þ þ k3�e u;oð Þ�H c′� ��jw1Þ (25)

and sends P′u;oð Þ; c′;w1; r′2; z1; z2; z3; e u;oð Þ; z3=e u;oð Þ

� �to P.

(2) Proxy user checks the correctness of

aoz1 �boz2 �foz3 ¼? P′

u;oð Þ�w1H c′ð jjw1Þ mod no (26)

P′u;oð Þ�do�hor′2�e u;oð Þ ¼? c′

e u;oð Þ mod no (27)

If so, he accepts the delegation.Because w1 is presented in Equations (23), (24), and

(25), if the proxy user shows a credential to more thanone verifier, the unlinkability, which is one of the essentialproperties of pseudonym systems, is contravened.

Here, we have used weak PZKP scheme, that is, theproxy user can transfer the capability of showing theoriginal prover’s credential to any other one. In the caseof the strong PZKP, we have to insert some informationof the proxy user in hash function. The original user,hence, can add a parameter that contains some informa-tion of the proxy user to hash function in Equations(23), (24), and (25) to make it particular for the selectedproxy user.

5.7. Showing a credential to a verifier by theoriginal user

In this stage, original user U is going to prove to averifier V the possession of a credential issued byorganization O.

VerifyCred (U,V,C):

(1) U chooses r′4; r′5 2 0; 1f g2�ln randomly, computes A ¼c u;oð Þ�hor′4 and F ¼ gor

′5 �hor′4 , and sends A, and F to V.

(2) U engages with V by executing:

PKf a; b; g; d; e;c;sð Þ :

d2o ¼ A2ð Þa� 1a2o

� �b

� 1b2o

� �g

� 1h2o

� �d

∧F2 ¼ g2o� �s� h2o� �e∧

1 ¼ F2ð Þa� 1h2o

� �d

� 1g2o

� �c

∧b 2 X∧g 2 S∧a 2 Eg:

5.8. Showing a credential to a verifier byproxy user

In this stage, proxy user P on behalf of the original user Uproves possession of a credential issued by organization Oto a verifier V.

Proxy zero-knowledge proof H. Jannati et al.

VerifyCred (P,V,C):

(1) P chooses r′3 2 0; 1f g2�ln randomly, computes D ¼fo

z3e u;oð Þ �gor′3 and B ¼ gor

′3 �hor′2 , and sends w1, c′, B, and

D to V.(2) P engages with V by executing the following:

PKf a; b; g; d; e; �;c; s; mð Þ :d2o

w21

� �Hðc′jjw1Þ ¼ c′2

a� 1a2o

� �b

� 1b2o

� �g

� 1h2o

� �d

� 1f 2o

� ��

1 ¼ D2� �a� 1

f 2o

� ��

� 1g2o

� �c

∧D2 ¼ g2o� �s� f 2o� �m∧

B2 ¼ g2o� �s� h2o� �e∧1 ¼ B2

� �a� 1h2o

� �d

� 1g2o

� �c

b 2 Z1∧g 2 Z2∧a 2 Eg:

5.9. Security consideration of newanonymous credential system

Our proposed scheme is based on Lysyanskaya andCamenisch credential system. Therefore, its essential secu-rity properties, that is, anonymity, unlinkable pseudonymsor credentials, unforgeable credentials, and nontransferablecredential, are linked to the same properties of the basesystem that have been proven in Ref. [15]. In following,we investigate other security properties of our proposedscheme defined in Section 4.2 and compare the propertiesof Lysyanskaya and Camenisch and the improved Lysyans-kaya and Camenisch credential systems in Table II.

• Unlinkability:

“Proxy user cannot discover the pseudonym of the originaluser U with the organization O, that is, P(u, o).” In ourproposed anonymous credential system, because theoriginal user blinds her pseudonym P(u, o) with a randomnumber r′1 2 0; 1f g2�ln , it is impossible for a proxy userto discover the pseudonym P(u, o) from P′

u;oð Þ withoutknowing r′1 . Therefore, the proxy user cannot link theactivities of the original user even if he teams up with O.

Table II. Comparison of the properties of Lysyanskaya–Camenisch

Properties Lysyanskaya and Came

Anonymity YesUnlinkable pseudonyms or credentials YesUnforgeable credentials YesNontransferable credential All-or-nTransferable credential to a proxy user Yes (aUnlinkability NoUnforgeability NoUndeniability NoNontranslatability NoOnly one credential NoDistinguishability No

• Unforgeability:

“Nobody can delegate the capability of proving possessionof her credentials to others except the original user.”Suppose that one tries to forge the proxy keys of acredential, for example, z1, z2, and z3. From Equations(23) to (25), we see that the proxy keys include the secretkey xu, S(u, o), e(u, o), and c(u, o) of the original user, whichare clearly unknown to the others.Therefore, the unforge-ability is satisfied with at most a probability of∥X∥�∥S∥�∥E∥� no � 1ð Þð Þ�1.

• Undeniability:

“The original user cannot repudiate the delegation of hercredential possession to the proxy user.” For correct execu-tion of showing a credential to a verifier, zero-knowledgeproofs in VerifyCred (P,V,C) phase must be satisfied.These proofs include the secret key xu of the original user,S(u, o) and c(u, o). So, this phase is correct if the proxy keysinclude xu, S(u, o), and c(u, o). It has been proven in unforge-ability that only U can generate proxy keys of the creden-tial. The original user U therefore cannot repudiategenerating the proxy keys for the proxy user.

• Nontranslatability and only one-credential:

“Proxy user cannot be the owner of the original user’scredential and cannot use other credentials of the originaluser.” Because the proxy user has access only to z1, not tothe original user’s secret key, xu, he cannot make use of theoriginal user’s credential for himself. Also, because the proxyuser has access only to the proxy keys of one credential, (c(u,o),e(u,o)), not to the proxy keys of other credentials, he cannot useother credentials of the original user.

• Distinguishability:

Obviously, according to Sections 5.7 and 5.8, the verifiercan easily distinguish whether showing credential wasdone by the proxy user or by the original user.

and the improved Lysyanskaya–Camenisch credential systems.

nisch credential system [15] Improved credential system

YesYesYes

othing All-or-nothingll-or-nothing) Yes

YesYesYesYesYesYes

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Proxy zero-knowledge proofH. Jannati et al.

6. CONCLUSION

We combined zero-knowledge proof and proxy signature todefine a new scheme, namely, PZKP, which is used in casesthat a user cannot prove knowledge of her private key her-self in a zero-knowledge proof system. In our proposedPZKP scheme, the original prover delegates capability ofproving her secret key to a proxy prover without lettinghim know her secrets. Then, it has been shown how to uti-lize PZKP scheme in Lysyanskaya and Camenisch creden-tial system. In this new anonymous credential system, auser can transfer credential to other user as a proxy. In ourproposed anonymous credential system, the proxy user can-not be the owner of the original user’s credentials, cannotuse other credentials of the user, and cannot discover thepseudonym of the user with any organization. Also, the pos-session of a credential that has been delegated to a proxyuser cannot be repudiated by the original user.

Although we have defined PZKP scheme based onLi–Wang proxy signature scheme and have utilized itin Lysyanskaya and Camenisch credential system, itcan be straightforwardly defined based on other proxysignature schemes, for example, Ref. [26], and also canbe utilized in other credential systems.

REFERENCES

1. Boudot F. Efficient proofs that a committed number liesin an interval. In Advances in Cryptology—Eurocrypt2000, vol. 1807 of LNCS, Springer-Verlag: Bruges,Belgium, 2000; 437–450.

2. Chaum D. Security without identification: transactionsystems to make big brother obsolete. Communica-tions of the ACM 1985; 28(10):1030–1044.

3. Chen L. Access with pseudonyms. In InternationalConference on Cryptography: Policy and Algorithms,vol. 1029 of LNCS, Springer-Verlag: Brisbane, Queens-land, Australia, 1995; 232–243.

4. Chaum D, Evereste JH. A secure and privacy-protectingprotocol for transmitting personal information betweenorganizations. In Advances in Cryptology—CRYPTO1986, vol. 263 of LNCS, Springer-Verlag: SantaBarbara, California, USA, 1987; 118–167.

5. Camenisch J, Lysyanskaya A. Signature schemes andanonymous credentials from bilinear maps. In Advancesin Cryptology—CRYPTO 2004, vol. 3152 of LNCS,Springer-Verlag: Santa Barbara, California, USA,2004; 56–72.

6. ChaumD, Pedersen TP.Wallet databases with observers(extended abstract). In Advances in Cryptology—CRYPTO 1992, vol. 740 of LNCS, Springer-Verlag:Santa Barbara, California, USA, 1992; 89–105.

7. Camenisch J, Stadler M. Efficient group signatureschemes for large groups. In Advances in Cryptology—

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

CRYPTO 1997, vol. 1296 of LNCS. Springer-Verlag:Santa Barbara, California, USA, 1997; 410–424.

8. Danes L. Smart card integration in the pseudonym sys-tem idemix, Master’s Thesis, University of GroningenMathematics Department, 2007. http://www.luukluuk.nl/idemix/thesis/thesis.pdf

9. Damgard I, Fujisaki E. A statistically-hiding integercommitment scheme based on groups with hiddenorder. In Advances in Cryptology—Asiacrypt 2002,vol. 2501 of LNCS, Springer-Verlag: Queenstown,New Zealand, 2002; 77–85.

10. Dai JZ, Yang XH, Dong JX. Designated-receiverproxy signature scheme for electronic commerce. InIEEE International Conference on Systems, Man andCybernetics, vol. 1, IEEE: Washington, D.C., USA,2003; 384–389.

11. Fujisaki E, Okamoto T. Statistical zero knowledgeprotocols to prove modular polynomial relations. InAdvances in Cryptology—CRYPTO 1997, vol. 1294of LNCS, Springer-Verlag, 1997; 16–30.

12. Goldwasser S, Micali S, Rackoff C. The knowledgecomplexity of interactive proof-systems. In Symposiumon Theory of Computing. ACM Press, 1985, 291–304[A journal version under the same title appears in SIAMJournal of Computing 1989; 18(1): 186–208].

13. Herranz J, Saez G. Revisiting fully distributed proxysignature schemes. In Proceedings of Indocrypt 2004,vol. 3348 of LNCS, Springer-Verlag, 2004; 356–370.

14. Kim S, Park S, Won D. Proxy signatures, revisited. InInformation and Communications Security—ICICS1997, vol. 1334 of LNCS, Springer-Verlag, 1997;223–232.

15. Lysyanskaya A, Camenisch J. An efficient systemfor non-transferable anonymous credentials withoptional anonymity revocation. In Selected Areas inCryptography—SAC 2001, vol. 1758 of LNCS,Springer-Verlag, 2001; 93–118.

16. Lee B, Kim H, Kim K. Strong proxy signature andits applications. In Symposium on Cryptographyand Information Security—SCIS 2001, vol. 2, Oiso:Japan, 2001; 603–608.

17. Lysyanskaya A, Rivest R, Sahai A, Wolf S. Pseudo-nym Systems. In Selected Areas in Cryptography—SAC 1999, vol. 1758 of LNCS, Springer-Verlag,1999; 184–199.

18. Layouni M, Vangheluwe H. Anonymous K-showcredentials. In the 4th European PKI Workshop:Theory and Practice (EuroPKI) 2007, vol. 4582 ofLNCS, Springer-Verlag, 2007; 181–192.

19. Li J, Wang S. New efficient proxy blind signaturescheme using verifiable self-certified public key. In-ternational Journal of Network Security 2007; 4(2):193–200.

Proxy zero-knowledge proof H. Jannati et al.

20. Lu R, Cao Z, Zhou Y. Proxy blind multi-signaturescheme without a secure channel. Journal of AppliedMathematics and Computation 2005; 164(1): 179–187,Elsevier Press, .

21. Mambo MM, Usuda K, Okamoto E. Proxy signatures:delegation of the power to sign message. IEICETransaction Functional 1996; E79-A(9):1338–1354.

22. Mambo M, Usuda K, Okamoto E. Proxy signatures fordelegating signing operation. In Conference on Computerand Communications Security—CCS 1996. ACM Press:New Delhi, India, 1996; 48–57.

23. Schnorr CP. Efficient identification and signatures forsmart cards. In Advances in Cryptology—CRYPTO 1989,

vol. 435 of LNCS, Springer-Verlag: Santa Barbara,California, USA, 1990; 239–252.

24. Song R, Korba L, Yee G. Pseudonym technology forE-services. In Privacy Protection for E-Services, (ed)Yee G. Idea Group, NRC 48269, Inc.: National Re-search Council of Canada, 2006.

25. Verheul ER. Self-blindable credential certificatesfrom the Weil pairing. In Advances in Cryptology—Asiacrypt 2001, vol. 2248 of LNCS, Springer-Verlag:Gold Coast, Australia, 2001; 533–551.

26. Zhang Y, Chen JL. A delegation solution for universalidentity management in SOA. In IEEE Transactionson Services Computing, issue 99, 2010; 1–14.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec