Paper 2024/1139
Anonymous Outsourced Statekeeping with Reduced Server Storage
Abstract
Strike-lists are a common technique for rollback and replay prevention in protocols that require that clients remain anonymous or that their current position in a state machine remain confidential. Strike-lists are heavily used in anonymous credentials, e-cash schemes, and trusted execution environments, and are widely deployed on the web in the form of Privacy Pass (PoPETS '18) and Google Private State Tokens. In such protocols, clients submit pseudorandom tokens associated with each action (e.g., a page view in Privacy Pass) or state transition, and the token is added to a server-side list to prevent reuse. Unfortunately, the size of a strike-list, and hence the storage required by the server, is proportional to the total number of issued tokens, $N \cdot t$, where $N$ is the number of clients and $t$ is the maximum number of tickets per client. In this work, we ask whether it is possible to realize a strike-list-like functionality, which we call the anonymous tickets functionality, with storage requirements proportional to $N \log(t)$. For the anonymous tickets functionality we construct a secure protocol from standard assumptions that achieves server storage of $O(N)$ ciphertexts, where each ciphertext encrypts a message of length $O(\log(t))$. We also consider an extension of the strike-list functionality where the server stores an arbitrary state for each client and clients advance their state with some function $s_i\gets f(s_{i-1},\mathsf{auxinput})$, which we call the anonymous outsourced state-keeping functionality. In this setting, malicious clients are prevented from rolling back their state, while honest clients are guaranteed anonymity and confidentiality against a malicious server. We achieve analogous results in this setting for two different classes of functions. Our results rely on a new technique to preserve client anonymity in the face of selective failure attacks by a malicious server. Specifically, our protocol guarantees that misbehavior of the server either (1) does not prevent the honest client from redeeming a ticket or (2) provides the honest client with an escape hatch that can be used to simulate a redeem in a way that is indistinguishable to the server.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- anonymous ticketsanonymous outsourced statekeepingNIZKadditively homomorphic encryption
- Contact author(s)
-
danadach @ umd edu
esha ghosh @ microsoft com
mliang @ umd edu
imiers @ umd edu
micro @ umd edu - History
- 2024-07-15: approved
- 2024-07-12: received
- See all versions
- Short URL
- https://ia.cr/2024/1139
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1139, author = {Dana Dachman-Soled and Esha Ghosh and Mingyu Liang and Ian Miers and Michael Rosenberg}, title = {Anonymous Outsourced Statekeeping with Reduced Server Storage}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/1139}, year = {2024}, url = {https://eprint.iacr.org/2024/1139} }