1. Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain 2017 AnonymousCredentials Blockchains CCS UC
    Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya
    [View PDF on acmccs.github.io]
    [Show BibTex Citation]

    @inproceedings{10.1145/3133956.3134025,
    author = {Camenisch, Jan and Drijvers, Manu and Dubovitskaya, Maria},
    title = {Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain},
    year = {2017},
    isbn = {9781450349468},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3133956.3134025},
    doi = {10.1145/3133956.3134025},
    booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
    pages = {683–699},
    numpages = {17},
    keywords = {credentials, privacy-preserving authentication, zero-knowledge, blockchain, delegation, composable security, hierarchical issuance},
    location = {Dallas, Texas, USA},
    series = {CCS ’17}
    }

Certification of keys and attributes is in practice typically realized by a hierarchy of issuers. Revealing the full chain of issuers for certificate verification, however, can be a privacy issue since it can leak sensitive information about the issuer’s organizational structure or about the certificate owner. Delegatable anonymous credentials solve this problem and allow one to hide the full delegation (issuance) chain, providing privacy during both delegation and presentation of certificates. However, the existing delegatable credentials schemes are not efficient enough for practical use.

In this paper, we present the first hierarchical (or delegatable) anonymous credential system that is practical. To this end, we provide a surprisingly simple ideal functionality for delegatable credentials and present a generic construction that we prove secure in the UC model. We then give a concrete instantiation using a recent pairing-based signature scheme by Groth and describe a number of optimizations and efficiency improvements that can be made when implementing our concrete scheme. The latter might be of independent interest for other pairing-based schemes as well. Finally, we report on an implementation of our scheme in the context of transaction authentication for blockchain, and provide concrete performance figures.

  1.