1

I read some materials about MS u-prove and IBM Idemix.

But according to these materials, the opinion about revocation is different.

Some materials say that u-prove and idemix do not provide revocation, but others say that they provide.

I tried to read technical papers about both but it was too hard to read.

Am I correct in understanding that only a user (not issuer or IdP) of both schemes can revoke it voluntarily?

Can anyone explain about specific details of revocation in u-prove and idemix?

Thanks

U-prove: https://www.microsoft.com/en-us/research/project/u-prove/

Idemix: http://www.research.ibm.com/labs/zurich/idemix/

takita
  • 509
  • 2
  • 8

1 Answers1

0

I did not investigate official implementations, so my analysis is based solely on the referenced papers and documentation.

U-Prove

Idemix

Revocation in these two Anonymous Credential (AC) systems refers to different functionalities:

  1. U-Prove:
    In U-Prove, revocation corresponds to invalidating a U-Prove token, effectively revoking the associated credential. The U-Prove Technology Overview identifies 3 types of credential revocation, but the U-Prove Cryptographic Specification does not elaborate on them, so I assume they were envisioned but not designed. The underlying idea resembles a Certificate Revocation List, which is as we all know inherently imperfect. An add-on functionality was proposed in Microsoft's paper, suggesting the use of a dynamic accumulator. However, this approach was later shown to be flawed by Hanzlik, Kutyłowski, and Kubiak, as it inadvertently allowed linkability.

  2. Idemix:
    In Idemix, revocation refers to de-anonymization or revealing a user's pseudonym under predefined conditions. The process more or less works as follows:

    • The user U and a verification organization O_V agree on specific revocation conditions.
    • These conditions are shared with a trusted third party responsible for de-anonymization O_D.
    • During credential presentation to O_V, U encrypts their pseudonym N using O_D's public key and includes this ciphertext along with the typical credential data.
    • The encryption mechanism ensures that O_V can verify using the O_D public key that the ciphertext corresponds to U's pseudonym but cannot decrypt it directly.

    If U misbehaves, O_V can submit evidence (e.g., a transcript of the misbehavior) to O_D, which can then reveal U's pseudonym to O_V for accountability (local de-anonymization, or as fantastically misspelled in the paper lobal de-anonymization).
    This scheme can be further strengthened by introducing a Root Pseudonym Authority that maintains the pseudonym-to-identity mapping and thus allows O_V to learn U's identity (global de-anonymization).

TL;DR

Both systems offer revocation functionality, but the meaning differs:

  • U-Prove: Revocation invalidates a credential, which can be initiated by the issuer, verifier, or a quorum of users (it was proposed in the technology overview but not addressed in the cryptographic overview, perhaps that's the reason why some claim that it "U-Prove does not provide revocation")
  • Idemix: Revocation involves controlled de-anonymization, allowing a verifier to identify a misbehaving user’s pseudonym with the help of a trusted arbiter.

Side Note

Without delving into cryptographic specifics, Idemix feels like a more mature technology in terms of development, adoption, and cryptographic rigor. U-Prove's official documentation has no security proofs or design argumentation.

Gabriel Wechta
  • 1