Lara: Lightweight Anonymous Authentication with Asynchronous Revocation Auditability

TL;DR

Lara introduces a lightweight anonymous authentication scheme that ensures privacy-preserving pseudonym revocation without relying on synchronized time, using efficient cryptographic primitives and data structures.

Contribution

Lara is the first scheme to achieve asynchronous revocation auditability without shared time assumptions, enhancing privacy and efficiency in anonymous authentication.

Findings

Lara effectively prevents privacy breaches during pseudonym revocation.

The scheme is computationally efficient with practical implementation results.

Lara does not depend on synchronized clocks, avoiding issues with clock skew.

Abstract

Anonymous authentication is a technique that allows to combine access control with privacy preservation. Typically, clients use different pseudonyms for each access, hindering providers from correlating their activities. To perform the revocation of pseudonyms in a privacy preserving manner is notoriously challenging. When multiple pseudonyms are revoked together, an adversary may infer that these pseudonyms belong to the same client and perform privacy breaking correlations, in particular if these pseudonyms have already been used. Backward unlinkability and revocation auditability are two properties that address this problem. Most systems that offer these properties rely on some sort of time slots, which assume a common reference of time that must be shared among clients and providers; for instance, the client must be aware that it should not use a pseudonym after a certain time or should be able to assess the freshness of a revocation list prior to perform authentication. In this paper we propose Lara, a Lightweight Anonymous Authentication with Asynchronous Revocation Auditability that does not require parties to agree on the current time slot and it is not affected by the clock skew. Prior to disclosing a pseudonym, clients are provided with a revocation list (RL) and can check that the pseudonym has not been revoked. Then, they provide a proof on non-revocation that cannot be used against any other (past or future) RL, avoiding any dependency of timing assumptions. Lara can be implemented using efficient public-key primitives and space-efficient data structures. We have implemented a prototype of Lara and have assessed experimentally its efficiency.