[Resource Topic] 2024/1139: Anonymous Outsourced Statekeeping with Reduced Server Storage

Resource Cryptographic protocols
#1

Welcome to the resource topic for 2024/1139

Title:
Anonymous Outsourced Statekeeping with Reduced Server Storage

Authors: Dana Dachman-Soled, Esha Ghosh, Mingyu Liang, Ian Miers, Michael Rosenberg

Abstract:

Strike-lists are a common technique for rollback and replay prevention in protocols that require that clients remain anonymous or that their current position in a state machine remain confidential. Strike-lists are heavily used in anonymous credentials, e-cash schemes, and trusted execution environments, and are widely deployed on the web in the form of Privacy Pass (PoPETS '18) and Google Private State Tokens.
In such protocols, clients submit pseudorandom tokens associated with each action (e.g., a page view in Privacy Pass) or state transition, and the token is added to a server-side list to prevent reuse.

Unfortunately, the size of a strike-list, and hence the storage required by the server, is proportional to the total number of issued tokens, N \cdot t, where N is the number of clients and t is the maximum number of tickets per client. In this work, we ask whether it is possible to realize a strike-list-like functionality, which we call the anonymous tickets functionality, with storage requirements proportional to N \log(t).

For the anonymous tickets functionality we construct a secure protocol from standard assumptions that achieves server storage of O(N) ciphertexts, where each ciphertext encrypts a message of length O(\log(t)). We also consider an extension of the strike-list functionality where the server stores an arbitrary state for each client and clients advance their state with some function s_i\gets f(s_{i-1},\mathsf{auxinput}), which we call the anonymous outsourced state-keeping functionality. In this setting, malicious clients are prevented from rolling back their state, while honest clients are guaranteed anonymity and confidentiality against a malicious server. We achieve analogous results in this setting for two different classes of functions.

Our results rely on a new technique to preserve client anonymity in the face of selective failure attacks by a malicious server. Specifically, our protocol guarantees that misbehavior of the server either (1) does not prevent the honest client from redeeming a ticket or (2) provides the honest client with an escape hatch that can be used to simulate a redeem in a way that is indistinguishable to the server.

ePrint: https://eprint.iacr.org/2024/1139

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .