Privacy-Preserving Blueprints.

If everyone were to use anonymous credentials for all access control needs, it would be impossible to trace wrongdoers, by design. This would make legitimate controls, such as tracing illicit trade and terror suspects, impossible to carry out. Here, we propose a privacy-preserving blueprint capability that allows an auditor to publish an encoding pk A of the function f ( x , · ) for a publicly known function f and a secret input x . For example, x may be a secret watchlist, and f ( x , y ) may return y if y ∈ x . On input her data y and the auditor’s pk A , a user can compute an escrow Z such that anyone can verify that Z was computed correctly from the user’s credential attributes, and moreover, the auditor can recover f ( x , y ) from Z . Our contributions are: We define secure f -blueprint systems; our definition is designed to provide a modular extension to anonymous credential systems. We show that secure f -blueprint systems can be constructed for all functions f from fully homomorphic encryption and NIZK proof systems. This result is of theoretical interest but is not efficient enough for practical use. We realize an optimal blueprint system under the DDH assumption in the random-oracle model for the watchlist function.