Paper 2024/1139

Anonymous Outsourced Statekeeping with Reduced Server Storage

Dana Dachman-Soled, University of Maryland, College Park
Esha Ghosh, Microsoft (United States)
Mingyu Liang, University of Maryland, College Park
Ian Miers, University of Maryland, College Park
Michael Rosenberg, University of Maryland, College Park
Abstract

Strike-lists are a common technique for rollback and replay prevention in protocols that require that clients remain anonymous or that their current position in a state machine remain confidential. Strike-lists are heavily used in anonymous credentials, e-cash schemes, and trusted execution environments, and are widely deployed on the web in the form of Privacy Pass (PoPETS '18) and Google Private State Tokens. In such protocols, clients submit pseudorandom tokens associated with each action (e.g., a page view in Privacy Pass) or state transition, and the token is added to a server-side list to prevent reuse. Unfortunately, the size of a strike-list, and hence the storage required by the server, is proportional to the total number of issued tokens, $N \cdot t$, where $N$ is the number of clients and $t$ is the maximum number of tickets per client. In this work, we ask whether it is possible to realize a strike-list-like functionality, which we call the anonymous tickets functionality, with storage requirements proportional to $N \log(t)$. For the anonymous tickets functionality we construct a secure protocol from standard assumptions that achieves server storage of $O(N)$ ciphertexts, where each ciphertext encrypts a message of length $O(\log(t))$. We also consider an extension of the strike-list functionality where the server stores an arbitrary state for each client and clients advance their state with some function $s_i\gets f(s_{i-1},\mathsf{auxinput})$, which we call the anonymous outsourced state-keeping functionality. In this setting, malicious clients are prevented from rolling back their state, while honest clients are guaranteed anonymity and confidentiality against a malicious server. We achieve analogous results in this setting for two different classes of functions. Our results rely on a new technique to preserve client anonymity in the face of selective failure attacks by a malicious server. Specifically, our protocol guarantees that misbehavior of the server either (1) does not prevent the honest client from redeeming a ticket or (2) provides the honest client with an escape hatch that can be used to simulate a redeem in a way that is indistinguishable to the server.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
anonymous ticketsanonymous outsourced statekeepingNIZKadditively homomorphic encryption
Contact author(s)
danadach @ umd edu
esha ghosh @ microsoft com
mliang @ umd edu
imiers @ umd edu
micro @ umd edu
History
2024-07-15: approved
2024-07-12: received
See all versions
Short URL
https://ia.cr/2024/1139
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1139,
      author = {Dana Dachman-Soled and Esha Ghosh and Mingyu Liang and Ian Miers and Michael Rosenberg},
      title = {Anonymous Outsourced Statekeeping with Reduced Server Storage},
      howpublished = {Cryptology ePrint Archive, Paper 2024/1139},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/1139}},
      url = {https://eprint.iacr.org/2024/1139}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.