We show that the efficient revocation mechanism designed for U-Prove enables a system provider to efficiently trace the users' activities. Namely, the Revocation Authority run the system provider may execute the U-Prove protocol in a malicious way so that: (a) the deviations from the protocol remain undetected, (b) the Revocation Authority becomes aware of each single authentication of a user in the whole system and can link them (regardless which attributes are disclosed by the user against the verifiers), (c) can link presentation tokens with the corresponding token issuing procedure (under some conditions).
Thereby, the system described in the technical drafts of U-Prove does not protect privacy of a user unless one can unconditionally trust the system provider. In fact, a malicious system provider may convert the Revocation Authority into a ``Big Brother'' installation.
Category / Keywords: cryptographic protocols / anonymous credential, U-Prove, revocation, tracing attack, cryptographic accumulator, witness Original Publication (with major differences): to appear at ACM ASIA CCS 2015 Date: received 12 Feb 2015 Contact author: przemyslaw kubiak at pwr wroc pl Available format(s): PDF | BibTeX Citation Version: 20150224:014915 (All versions of this report) Short URL: ia.cr/2015/108 Discussion forum: Show discussion | Start new discussion