KR102790869B1 - Device and method for anonymous credential with efficient recocations - Google Patents

Abstract

An anonymous credential authentication system, device and method for efficiently providing a user withdrawal function are disclosed. The anonymous credential authentication system includes a credential issuing server which generates a system public key and a master private key using a CS (Complete Subtree) technique, a user device which generates a user public key and a user private key using the system public key, and a verification server which verifies an anonymous credential signature received from the user device, wherein the credential issuing server and the user device perform a credential issuing algorithm to issue a credential, the credential issuing server generates and distributes information based on a list of users who have withdrawn, and the verification server verifies the anonymous credential signature using information based on the list of users who have withdrawn.

Description

{DEVICE AND METHOD FOR ANONYMOUS CREDENTIAL WITH EFFICIENT RECOCATIONS}

The present invention relates to an anonymous credential authentication method, and more particularly, to an anonymous credential method capable of authenticating a plurality of attributes representing the identity of a user as credentials, exposing only the desired attributes using the credentials, while providing anonymity for the remaining attributes and proving the identity.

In order to receive the services they want, individuals authenticate their identities to service providers, and from this, service providers generate enormous economic profits. However, in the existing authentication system, identity data is owned and managed by service providers, not individuals, and thus the sovereignty of identity data lies with service providers. Recently, the importance of individual sovereignty for self-determination has been emphasized, and accordingly, the concept of self-sovereign identity, in which individuals have sovereignty over their own identity data and perform authentication, has been introduced. In fact, the MyData system is being established and standardization of decentralized identifier (DID) services utilizing blockchain is actively underway.

A key technology for realizing DID services is anonymous authentication credentials. Anonymous authentication credentials are technologies that allow users to receive credentials from an organization (company) that authenticates their identity in advance, and generate anonymous credentials whenever a verifier (service provider) requests them to prove their identity and qualifications. At this time, identity information can be expressed as multiple attributes, and a selective disclosure function is provided by default, which allows users to perform authentication by exposing only the attributes they want and safely hiding the rest. In addition to the selective disclosure function, a user revocation function can be provided, which allows users who have been withdrawn from an organization and are included in the withdrawal list managed by the organization to no longer generate identity verification values. As technologies for realizing the user revocation function, the SD (Subset Difference) technique and the CS (Complete Subtree) technique, which are tree-based user revocation methods, can be used.

Republic of Korea Publication Patent No. 2021-0064076 (Published on June 2, 2021)

The technical problem to be achieved by the present invention is to provide an anonymous credential authentication technique that provides an efficient user withdrawal function. Existing anonymous credential technologies that use a revocation list cannot efficiently check whether a user has been revoked. In order to check whether a revoked user has generated a proof value, a verifier must first check a valid revocation list (RL) at the verification time, and check whether the tracking value for the revoked user specified in each item matches the proof value through a set verification formula. At this time, the verification calculation amount and time are proportional to the size of the revocation list (RL). Therefore, it is an important task to efficiently support user withdrawal with only a fixed verification calculation amount and time.

Another technical problem that the present invention seeks to achieve is to provide an anonymous credential authentication technique that satisfies ideal unforgeability. Existing anonymous credential technologies cannot prevent users from generating identity proof values even after they withdraw, and they verify the validity of pre-generated signatures afterward. If the withdrawal list is incorrectly referenced as a previous one or the verification process is omitted, the proof values generated by the withdrawn users are still recognized as valid, which can be exploited. An ideal solution is to provide unforgeability that prevents users from generating proof values after they withdraw.

In addition, another technical problem to be achieved by the present invention is to provide an anonymous credential authentication technique with high efficiency by reducing the size of a secret key. In anonymous credential authentication technology, since individual users generally generate anonymous credentials by utilizing small devices such as mobile devices with limited resources, it is important to increase efficiency by reducing the key size. In addition, smart cities are emerging as an alternative to various problems occurring due to urbanization in real life, and devices such as IoT (Internet of Things) equipment and various sensors that constitute smart cities are generally operated in a physically limited resource environment, so it is an important task that must be improved to increase efficiency by reducing the size of a secret key required to generate anonymous credentials.

An anonymous credential authentication system according to one embodiment of the present invention includes a credential issuing server which generates a system public key and a master private key using a CS (Complete Subtree) technique, a user device which generates a user public key and a user private key using the system public key, and a verification server which verifies an anonymous credential signature received from the user device, wherein the credential issuing server and the user device perform a credential issuing algorithm to issue a credential, the credential issuing server generates and distributes information based on a list of users who have withdrawn, and the verification server verifies the anonymous credential signature using information based on the list of users who have withdrawn.

A credential issuance server according to one embodiment of the present invention is a credential issuance server that issues a credential to a user device in an anonymous credential authentication system, and includes a security constant ( ) and a maximum number of attributes (m, m is an arbitrary natural number) as inputs to generate a system public key and a master private key, and a credential issuing unit that issues the credential to the user device, wherein the key generating unit includes a pairing parameter ( ) and generate a cryptographic hash function ( ) and select the setup algorithm of the CS (Complete Subtree) technique ( ) to set the maximum number of users ( , n is an arbitrary natural number) and generates a binary tree (BT) corresponding to an arbitrary By creating and , , , , , Compute and random By creating class By calculating the master secret key ( and the above system public key ( ) is created.

According to one embodiment of the present invention, an anonymous credential authentication method is performed on an anonymous credential authentication system including a credential issuing server, a user device, and a verification server, and includes: a step in which the credential issuing server generates a system public key and a master private key using a CS (Complete Subtree) technique; a step in which the user device generates a user public key and a user private key using the system public key; a step in which the credential issuing server issues a credential to the user device; a step in which the credential issuing server generates and distributes information based on a list of users who have withdrawn; a step in which the user device generates an anonymous credential signature and transmits the anonymous credential signature to the verification server; and a step in which the verification server verifies the anonymous credential signature.

According to one embodiment of the present invention, a method for issuing a credential to a user device by a credential issuing server comprises: ) and a maximum number of attributes (m, m is an arbitrary natural number) as inputs to generate a system public key and a master private key, and a step of issuing the credential to the user device, wherein the step of generating the system public key and the master private key comprises a step of generating a pairing parameter ( ) generating a cryptographic hash function ( ) is selected, and the maximum number of users ( is determined by using the setup algorithm (CS.Setup(N)) of the CS (Complete Subtree) technique. , n is an arbitrary natural number) to generate a binary tree (BT), By creating and , , , , , Steps to calculate, arbitrary By creating class Step of calculating the master secret key ( and the above system public key ( ) includes a step of setting.

An anonymous credential authentication device and method according to an embodiment of the present invention can provide an efficient user withdrawal function.

Additionally, it can provide unforgeability by preventing a user who has withdrawn from generating proof values in the first place.

Additionally, by reducing the size of the secret key used, anonymous credential authentication can be performed efficiently even on resource-poor mobile devices.

In order to more fully understand the drawings cited in the detailed description of the present invention, a detailed description of each drawing is provided.
Figure 1 is a diagram explaining a binary tree used in CS techniques.
Figure 2 is a diagram for explaining the individual set and cover set derived from the allocation algorithm of the CS technique.
FIG. 3 illustrates an anonymous credential authentication system according to one embodiment of the present invention.
Figure 4 is a functional block diagram of the credential issuance server illustrated in Figure 3.
FIG. 5 is a flowchart for explaining an anonymous credential authentication method performed on the anonymous credential authentication system illustrated in FIG. 3.

Specific structural or functional descriptions of embodiments according to the concept of the present invention disclosed in this specification are merely exemplified for the purpose of explaining embodiments according to the concept of the present invention, and embodiments according to the concept of the present invention can be implemented in various forms and are not limited to the embodiments described in this specification.

Since embodiments according to the concept of the present invention can have various changes and can have various forms, the embodiments are illustrated in the drawings and described in detail in this specification. However, this is not intended to limit the embodiments according to the concept of the present invention to specific disclosed forms, but includes all modifications, equivalents, or substitutes included in the spirit and technical scope of the present invention.

The terms first or second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are only intended to distinguish one component from another, for example, without departing from the scope of the invention, a first component may be referred to as a second component, and similarly, a second component may also be referred to as a first component.

When it is said that a component is "connected" or "connected" to another component, it should be understood that it may be directly connected or connected to that other component, but that there may be other components in between. On the other hand, when it is said that a component is "directly connected" or "directly connected" to another component, it should be understood that there are no other components in between. Other expressions that describe the relationship between components, such as "between" and "directly between" or "adjacent to" and "directly adjacent to", should be interpreted similarly.

The terminology used herein is only used to describe particular embodiments and is not intended to be limiting of the present invention. The singular expression includes the plural expression unless the context clearly indicates otherwise. It should be understood that, as used herein, the terms "comprises" or "has" and the like are intended to specify the presence of a feature, number, step, operation, component, part, or combination thereof described in the present specification, but do not exclude in advance the possibility of the presence or addition of one or more other features, numbers, steps, operations, components, parts, or combinations thereof.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms defined in commonly used dictionaries, such as those defined in common use dictionaries, should be interpreted as having a meaning consistent with the meaning they have in the context of the relevant art, and will not be interpreted in an idealized or overly formal sense unless explicitly defined herein.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached to this specification. However, the scope of the patent application is not limited or restricted by these embodiments. The same reference numerals presented in each drawing represent the same components.

First, background knowledge used in the present invention is described.

[Pairing function]

Pairing (bilinear) function The orchid is Algebraic cyclic group of , Any element of About, bilinear property It means a function that provides. By using this bilinear property, Satisfies .

The pairing function is used , Depending on the relationship, they can be classified into Type 1, Type 2, and Type 3, and among these, the Type-3 asymmetric pairing function is While This means that when there is no homomorphic function, i.e., in order to obtain the pairing function value, must be entered in the specified location.

[CS(Complete Subtree) Technique]

The CS technique is a tree-based user revocation scheme and is a method proposed for designing broadcast ciphers (Dalit Naor, Moni Naor, Jeffery Lotspiech: Revocation and Tracing Schemes for Stateless Receivers. CRYPTO 2001).

The CS technique has a number of leaf nodes. In binary tree For reference, the binary tree for the case of N = 2 ³ is illustrated in Figure 1. In the binary tree, the root node and each of the intermediate nodes, excluding the leaf nodes, have two child nodes. All nodes included in the binary tree, i.e., the total The node identifier of the dog By using can be expressed as . Also, are usually assigned in order from left to right and top to bottom, starting with the root node as 1. Through this rule, leaf nodes are assigned identifiers can be expressed using .

The CS technique includes four algorithms (CS.Setup, CS.Assign, CS.Cover, CS.Match), and the description of each algorithm is as follows. However, a detailed description of the CS technique will be omitted, and for specific contents, reference can be made to the paper by Kwangsu Lee et al. (Kwangsu Lee, Woo Kwon Koo, Dong Hoon Lee, and Jong Hwan Park. Public-key revocation and tracing schemes with subset difference methods revisited. In Miroslaw Kutylowski and Jaideep Vaidya, editors, ESORICS 2014, Part II) and the paper by Dalit Naor et al. (Dalit Naor, Moni Naor, Jeffery Lotspiech: Revocation and Tracing Schemes for Stateless Receivers. CRYPTO 2001).

- (Setup algorithm of CS technique). Number of users The number of leaf nodes is input. In binary tree Creates .

- (Allocation algorithm of CS technique). User to the leaf node Assigns to the user's identifier is the same range as the node identifier Assuming that the user is in A generic set of identifiers One-to-one function if selected from can satisfy the assumption through arbitrary About cast Subtree with root node Let be a set consisting of all leaf nodes, second The root node of From leaf node Defined as a path to , and a set second It outputs as follows. For example, for is illustrated in Fig. 2. Here, can be named as a private set or a path set.

- (Cover algorithm of CS technique). Cover set for the list of withdrawn users RL is allocated. Here, All leaf nodes that make up the node include nodes of users who have not withdrawn. Element of are disjoint sets that do not intersect with each other. In Fig. 2, the withdrawn A set of covers for is depicted.

- (Match algorithm of CS technique). and The common element of , i.e. (1) Wow (2) Satisfying both at the same time If exists Outputs , and if the condition is not satisfied for all elements, Prints out .

Below we describe the notations and algorithms used in this specification.

- : Concatenation of strings x and y (e.g., if x=010 and y=110, then x∥y=010110)

- : set

- : A cryptographic hash function. It takes an arbitrary string as input. Output one element of

- : Security constant. A higher value provides a higher level of security.

- : An attribute representing the user. Using a hash function. Assuming assignment by value (e.g. gender attribute: "gender.att=men" → H ("gender.att=men")=t)

- : set of properties

- : A set of indexes of metadata for the properties of a. Each metadata is assigned a unique index. For example, if a user is represented as {Hong Gil-dong, male, 21 years old}, the metadata representing each property is {Name, Gender, Age}. If metadata and indexes are assigned as follows: Name → 1, Gender → 2, Age → 3, And This is it

- : The difference between sets X and Y (e.g., if X={1,2,3} and Y={2}, then X＼Y={1,3})

- : System public key/master private key of the credential issuing server

- : User's public/private key

- : Credentials

- : Anonymous credential signing

- : Time (epoch). The concept of a specific period of time.

- : List of users who have left in time

- : Information based on the opt-out list to generate anonymous credential signatures over time

The objects that make up the anonymous credential system are I (credential issuance server), U (user device), and V (verification server). In addition, it is composed of the Ikg (system key issuance) algorithm, the Issue (credential issuance request and issuance) algorithm, the Update (information generation based on the withdrawal list) algorithm, the Show (anonymous credential signature generation) algorithm, and the Verify (anonymous credential signature verification) algorithm. Among these, the Issue protocol can be composed of the Obtain (credential issuance request) sub-algorithm performed by U , and the Iss (credential issuance) sub-algorithm performed by I.

A detailed description of each algorithm and protocol follows.

- . The algorithm (which may be named as system key issuance algorithm, system key generation algorithm, etc.) executed by the credential issuance server ( I ) is a security constant. For the maximum number of attributes m (m is an arbitrary natural number), the public key (system public key) ipk and the master secret key isk are generated as follows.

1. Type-3 pairing parameters However, the present invention does not exclude the use of other types of pairing functions or pairing parameters, and other types of pairing functions or pairing parameters may be used depending on the embodiment.

2. Cryptographic hash function (i.e. any hash function) Select .

3. Maximum number of users (n is any natural number) for the CS technique setup algorithm ( ) and the resulting binary tree Get .

4. Any By creating and , , , , , Calculate .

5. Any By creating class Calculate .

6. and is set to . The generated system public key ipk can be made public (or transmitted to the user device ( U ) and/or the verification server ( V )).

- . An algorithm (which may be named a user key issuance algorithm, a user key generation algorithm, etc.) executed by a user device ( U ) performs the following steps to generate the user's public key upk and private key usk.

1. A unique value that can represent U Select .

2. Calculate .

3. and The generated user public key upk can be made public (or transmitted to a credential server ( I ) and/or a verification server ( V )).

- . (identifier) representing a set of attributes A A protocol (algorithm) that a user device ( U ) executes together with a credential issuance server ( I ) to obtain a credential (may be named a credential issuance algorithm), and sub-algorithms Obtain (the first sub-algorithm) and Iss (the second sub-algorithm) output a credential cre and a result message M for the user device ( U ) as final results, respectively. The detailed process is sequentially performed as follows.

1. Obtain: This is performed by the user device ( U ) and performs the following process.

(1-1). The user device ( U ) has its own secret key We prove that we know using the non-interactive zero-knowledge (NIZK) protocol. The proof value of the zero-knowledge protocol is It can be expressed as and is generated through the process below.

(1-1-1). Using usk and ipk Calculate .

(1-1-2). Any Select .

(1-1-3). Using the cryptographic hash function H. Calculate .

(1-1-4). Calculate .

(1-1-5). Proof value Set to .

(1-2). Generated proof value Public key with , a set of properties Send together.

In short, the Obtain algorithm is a secret key It may mean an algorithm that generates a proof value for a zero-knowledge protocol (or zero-knowledge proof) to prove that one knows something.

2. Iss: It is performed by the credential issuance server ( I ) and performs the following process.

(2-1). Received Verify that it is a unique value within the system. In other credential issuance sessions. If has already been used (or is in use) Prints and aborts the protocol.

(2-2). Make sure you are satisfied Verify the validity of the equation. If the equation holds, continue, if it does not hold, Prints and aborts the protocol.

(2-3). Allocation algorithm of CS technique( ) to run the path set Get .

(2-4). Each Each time, do the following:

(2-4-1). Polynomial Save it to internal storage. Here, Is is randomly selected from Any node belonging to is unique has

(2-4-2). A set of indices of When said, a randomly selected value and using polynomials and Calculate .

(2-5). Result message The resulting message M is a message containing at least part of the information contained in the credential, which may be named credential or first credential, depending on the embodiment.

3. Obtain: This is performed by the user device ( U ) and performs the following process.

(3-1). Calculate .

(3-2). Credentials Save it.

(3-3). (optional) If it is more important to reduce the storage volume even if the computational amount increases during the signature generation process, (3-1) can be omitted. Credentials at this time That is, the message M received from the credential issuing server ( I ) can become a credential.

- . The credential issuing server ( I ) List of users who have left in time Next time using Information about is generated as follows. This algorithm can be named as an update algorithm, etc.

1. Cover algorithm of CS technique ( ) to run the cover set Get .

2. Elements of the cover set Do the following about:

(2-1). Previously Nodes belonging to Defined for Calls up.

(2-2). Any arbitrary Select .

(2-3). Arbitrarily By selecting and Calculate .

(2-4). distributes (or sends to the verification server ( V )).

- . An anonymous credential signature value generation algorithm performed by the user device ( U ). At the time, the user device ( U ) is storing A partial set of properties that you want to make public using Anonymous credential signature value for is created as follows:

1. Matching algorithm of CS technique ( ) by performing If this appears, you will be stopped from creating a signature. This is because the user has already left. A legitimate one that satisfies If you can get it (i.e., if you are a non-deleted user), you can move on to the next step.

2. Set for class cast Find it in .

3. for and cast Find it in .

4. class It calculates. This is at It is the Lagrange's coefficient that can interpolate the function value for . That is, is a value that satisfies .

5. A set of indices for (the set of properties you want to make public) Defined as the difference between A and B A set of indices for (the set of attributes you want to hide) When defining an arbitrary value Select to calculate the values below.

In the above equation And am.

6. Eigenvalue , random number used , proves that he knows all the properties he wants to hide using the non-interactive zero-knowledge (NIZK) protocol. The proof value of the zero-knowledge protocol is It can be expressed as and is generated through the process below.

(6-1) According to the above definition So, using this Calculate .

(6-2) Any Select .

(6-3) Using a hash function Calculate .

(6-4) Calculate .

(6-5) Proof value Set to .

7. Anonymous credential signing Output a set of public properties B together with the assumption that the original properties assigned to B are also public.

- . A verification algorithm performed by a verification server ( V ), where the verification server ( V ) signs anonymous credentials. To verify, check if the conditions below are satisfied.

1. Using B as in (6-1) Calculate .

2. Is it valid? Check with . If it is established, move on to the next step, otherwise stop and output 0.

3. and By using Calculate .

4. Check if it satisfies .

5. If all the above processes are passed, output 1 (verification success), otherwise output 0 (verification failure).

Figure 3 illustrates an anonymous credential authentication system according to one embodiment of the present invention. In describing the anonymous credential authentication system, detailed descriptions of content that overlaps with the previous descriptions will be omitted.

Referring to FIG. 3, an anonymous credential authentication system (10), which may also be named an anonymous credential system, includes a credential issuing server (100), a user device (200), and a verification server (300).

The credential issuing server (100), the user device (200), and the verification server (300) may be implemented as a computing device including at least a processor and/or a memory. The computing device may include a server (e.g., a general-purpose server), a PC (Personal Computer), a tablet PC, a smart phone, an HMD (Head Mounted Device), a notebook PC, smart glasses, a smart watch, etc.

The credential issuing server (100) can generate a public key (system public key) ipk and a master private key isk by performing a system key issuing algorithm, and distribute (or transmit to a user device (200) and/or a verification server (300)) the generated public key (system public key) ipk. In addition, the credential issuing server (100) can generate a result message (or a credential) by performing at least a part of the credential issuing algorithm through wired or wireless communication with the user device (200), and transmit the generated result message to the user device (200). In addition, the credential issuing server (100) can generate withdrawal list-based information by performing an update algorithm, and distribute (or transmit to the user device (200) and/or a verification server (300)) the generated withdrawal list-based information.

The user device (200) can generate a user public key upk and a user secret key usk from a public key (system public key) ipk by performing a user key issuance algorithm. In addition, the user device (200) can receive a generated result message (or credential) from the credential issuance server (100) by performing at least a part of the credential issuance algorithm through wired or wireless communication with the credential issuance server (100). According to an embodiment, the user device (200) can also generate a credential including the received result message. In addition, the user device (200) can generate an anonymous credential signature by performing an anonymous credential signing algorithm and transmit the generated anonymous credential signature to the verification server (300). At this time, the user device (200) can also transmit a set of public attributes together with the anonymous credential signature.

The verification server (300) can verify an anonymous credential signature received from a user device (200) by performing an anonymous credential signature verification algorithm. Here, the verification server (300) is an entity that can perform a verification operation, and is not restricted from performing any operation other than the verification operation.

Figure 4 is a functional block diagram of the credential issuance server illustrated in Figure 3.

Referring to FIGS. 3 and 4, the credential issuance server (100) includes at least one of a key generation unit (110), a credential issuance unit (120), and an update unit (130). According to an embodiment, the credential issuance server (100) may further include a storage unit (140).

The key generation unit (110) can generate a public key (system public key) ipk and a master secret key isk by performing a system key issuance algorithm, and distribute (or transmit to a user device (200) and/or a verification server (300)) the generated public key (system public key) ipk.

The credential issuing unit (120) can generate a result message (or credential) by performing at least a part of the credential issuing algorithm through wired or wireless communication with the user device (200) and transmit the generated result message to the user device (200).

The update unit (130) can generate withdrawal list-based information by performing an update algorithm and distribute (or transmit to a user device (200) and/or a verification server (300)) the generated withdrawal list-based information.

The storage unit (140) may store data used in the key generation operation process by the key generation unit (110), data generated temporarily or non-temporarily, data used in the credential issuance operation process by the credential issuance unit (120), data generated temporarily or non-temporarily, and data used in the update operation process by the update unit (130), data generated temporarily or non-temporarily, etc.

FIG. 5 is a flow chart for explaining an anonymous credential authentication method performed on the anonymous credential authentication system described in FIG. 3. Each of the steps constituting the method illustrated in FIG. 5 may be performed by a credential issuance server (100), a user device (200), or a verification server (300). In other words, each step may be understood as an operation of a processor included in the credential issuance server (100), a user device (200), or a verification server (300).

First, the credential issuing server (100) can generate a public key (system public key) and a master secret key by performing a predetermined algorithm (S110). The generated system public key can be made public (distributed or transmitted).

The user device (200) can generate a user public key and a user secret key using the received (or disclosed) public key (system public key) (S120). The generated user public key can be disclosed (distributed or transmitted).

At step S130, the credential issuance server (100) and the user device (200) can perform a credential issuance operation by performing a credential issuance algorithm while exchanging predetermined data (or messages).

In addition, the credential issuance server (100) can generate withdrawal list-based information so that a user who has withdrawn cannot generate a credential signature and can disclose (distribute or transmit) the generated withdrawal list-based information (S140).

Next, the user device (200) can generate an anonymous credential signature and transmit the generated anonymous credential signature and a set of public attributes to the verification server (300) (S150).

The verification server (300) that receives the anonymous credential signature can perform a verification operation on the anonymous credential received from the user device (200) by performing an anonymous credential verification algorithm (S160).

The devices described above may be implemented as hardware components, software components, and/or a collection of hardware components and software components. For example, the devices and components described in the embodiments may be implemented using one or more general-purpose computers or special-purpose computers, such as, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA), a programmable logic unit (PLU), a microprocessor, or any other device capable of executing instructions and responding. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. In addition, the processing device may access, store, manipulate, process, and generate data in response to the execution of the software. For ease of understanding, the processing device is sometimes described as being used alone, but those skilled in the art will appreciate that the processing device may include multiple processing elements and/or multiple types of processing elements. For example, the processing unit may include multiple processors, or one processor and one controller. Other processing configurations, such as a parallel processor, are also possible.

The software may include a computer program, code, instructions, or a combination of one or more of these, and may configure a processing device to perform a desired operation or may independently or collectively command the processing device. The software and/or data may be permanently or temporarily embodied in any type of machine, component, physical device, virtual equipment, computer storage medium or device, or transmitted signal wave to be interpreted by the processing device or to provide instructions or data to the processing device. The software may be distributed on network-connected computer systems and stored or executed in a distributed manner. The software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program commands that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program commands, data files, data structures, etc., alone or in combination. The program commands recorded on the medium may be those specially designed and configured for the embodiment or may be those known to and usable by those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, and hardware devices specially configured to store and execute program commands such as ROMs, RAMs, and flash memories. Examples of the program commands include not only machine language codes generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiment, and vice versa.

Although the present invention has been described with reference to the embodiments illustrated in the drawings, this is merely exemplary, and those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. For example, appropriate results can be achieved even if the described techniques are performed in a different order than the described method, and/or components of the described systems, structures, devices, circuits, etc. are combined or combined in a different form than the described method, or are replaced or substituted by other components or equivalents. Accordingly, the true technical protection scope of the present invention should be defined by the technical spirit of the appended claims.

10: Anonymous Credential Authentication System
100: Credential issuing server
110 : Key generation section
120: Credential Issuance Department
130 : Update Department
140 : Storage
200 : User Device
300 : Verification Server

Claims (15)

A credential issuing server that generates a system public key and a master private key using the CS (Complete Subtree) technique;
A user device that generates a user public key and a user private key using the above system public key; and
Includes a verification server that verifies an anonymous credential signature received from the user device,
The above credential issuing server and the above user device issue a credential by performing a credential issuing algorithm.
The above credential issuing server generates and distributes information based on the list of users who have withdrawn.
The above verification server verifies the anonymous credential signature using information based on the list of withdrawn users,
The above credential issuing server is a security constant ( ) and the maximum number of attributes (m, m is an arbitrary natural number) as inputs to generate the system public key and the master secret key.
Anonymous credential authentication system. delete In the first paragraph,
The above credential issuing server is,
Pairing parameters ( ) and create
Cryptographic hash function( ) and select
Maximum number of users ( , n is an arbitrary natural number) to generate a binary tree (BT) by executing the setup algorithm (CS.Setup(N)) of the CS technique,
Any By creating and , , , , , Calculate ,
Any By creating class By calculating,
The above master secret key ( and the above system public key ( ) to create,
Anonymous credential authentication system. In the third paragraph,
The above user device,
Unique values( ) and select
By calculating,
The above user secret key ( ) and the above user public key ( ) to create,
Anonymous credential authentication system. In paragraph 4,
The user device generates a proof value of a non-interactive zero-knowledge (NIZK) to prove that it knows the user secret key and sends it to the credential issuing server.
To generate the above proof value, the user device
Using the above user secret key (usk) and the above user public key (ipk), Calculate ,
Any Select ,
Using the above cryptographic hash function ( H), Calculate ,
By calculating the above proof value ( ) and create
The above user device is the proof value ( ), the user's public key ( ), a set of properties ( ) is transmitted to the credential issuing server.
Anonymous credential authentication system. In paragraph 5,
The above credential issuing server is,
The above proof value ( ) to verify the validity,
The path set (CS.Assign(BT,i)) is executed by executing the CS technique's assignment algorithm (CS.Assign(BT,i)). ) and create
Each path included in the above set of paths ( ) about,
cast A polynomial is randomly selected from ) and create
A set of indices of When said, a randomly selected value ( ) and using the above polynomial and By calculating,
Result message( ) and create
Transmitting the above result message to the user device;
Anonymous credential authentication system. In Article 6,
The above user device is By calculating the above credentials ( ) to create,
Anonymous credential authentication system. In Article 6,
The above user device sets the above result message as the above credential,
Anonymous credential authentication system. In clause 7 or 8,
The above credential issuing server is
Cover algorithm of CS technique( Run the cover set ( ) and create
Each element of the above cover set ( ) about, Any arbitrary and By selecting and By calculating the information based on the list of users who have left the above ( ) and create
Disclosing information based on the list of users who have left the service;
Anonymous credential authentication system. In Article 9,
The above user device, A legitimate one that satisfies About
class Calculate ,
A set of properties that we want to disclose ( ) is a set of indices for A is the difference between A and B ( ) is an index set for an arbitrary value By selecting Calculate ( , ),
Calculate ,
Any Select ,
Calculate ,
Calculate ,
Proof value( ) and create
The above anonymous credential signature ( ) and transmit the set of properties (B) to be disclosed to the verification server.
Anonymous credential authentication system. In Article 10,
The verification server is
Calculate ,
The first verification formula ( ) using the above proof value ( ) to verify the validity,
Calculate ,
Second verification formula ( ) to verify the anonymous credential signature,
Anonymous credential authentication system. In a credential issuing server that issues credentials to user devices in an anonymous credential authentication system,
Security constant( ) and a key generation unit that generates a system public key and a master secret key by performing a system key generation algorithm that takes as input the maximum number of attributes (m, m is an arbitrary natural number); and
Including a credential issuing unit that issues the credential to the user device;
The above key generation section
Pairing parameters ( ) and create
Cryptographic hash function( ) and select
Setup algorithm of CS(Complete Subtree) technique( ) to set the maximum number of users ( , generate a binary tree (BT) corresponding to n (where n is an arbitrary natural number),
Any By creating and , , , , , Calculate ,
Any By creating class By calculating,
The above master secret key ( and the above system public key ( ) to create,
Credential issuing server. A method for anonymous credential authentication performed on an anonymous credential authentication system including a credential issuing server, a user device, and a verification server,
A step in which the credential issuing server generates a system public key and a master private key using the CS (Complete Subtree) technique;
A step in which the user device generates a user public key and a user secret key using the system public key;
A step in which the credential issuing server issues a credential to the user device;
A step in which the credential issuing server generates and distributes information based on a list of users who have withdrawn;
The step of the user device generating an anonymous credential signature and transmitting the anonymous credential signature to the verification server; and
The above verification server comprises a step of verifying the anonymous credential signature,
The steps for generating the above system public key and the above master private key are:
Pairing parameters ( ) generating step;
Cryptographic hash function( ) step of selecting;
Maximum number of users ( , a step of generating a binary tree (BT) by executing the setup algorithm (CS.Setup(N)) of the CS (Complete Subtree) technique for n (where n is an arbitrary natural number);
Any By creating and , , , , , Steps to calculate ;
Any By creating class Steps for calculating; and
The above master secret key ( and the above system public key ( ), comprising the steps of setting
Anonymous credential authentication method. delete In a method for a credential issuing server to issue a credential to a user device,
Security constant( ) and a maximum number of attributes (m, m is an arbitrary natural number) as inputs to generate a system public key and a master secret key by performing a system key generation algorithm; and
Comprising a step of issuing the credential to the user device,
The steps for generating the above system public key and master private key are:
Pairing parameters ( ) generating step;
Cryptographic hash function( ) step of selecting;
The maximum number of users (CS.Setup(N)) is obtained by using the setup algorithm of the CS(Complete Subtree) technique. , a step of generating a binary tree (BT) corresponding to n (where n is an arbitrary natural number);
Any By creating and , , , , , Steps to calculate ;
Any By creating class Steps for calculating; and
The above master secret key ( and the above system public key ( ), comprising the steps of setting
How to issue credentials.

Images