Jesús García-Rodríguez,Stephan Krenn,Daniel Slamanig

DOI: https://doi.org/10.1016/j.cose.2023.103566

IF: 5.105

2024-01-01

Computers & Security

Abstract:Anonymous or attribute-based credential (ABC) systems are a versatile and important cryptographic tool to achieve strong access control guarantees while simultaneously respecting the privacy of individuals. A major problem in the practical adoption of ABCs is their transferability, i.e., such credentials can easily be duplicated, shared or lent. One way to counter this problem is to tie ABCs to biometric features of the credential holder and to require biometric verification on every use. While this is certainly not a viable solution for all ABC use-cases, there are relevant and timely use-cases, such as vaccination credentials as widely deployed during the COVID-19 pandemic. In such settings, ABCs that are tied to biometrics, which we call Biometric-Bound Attribute-Based Credentials (bb-ABC ), allow to implement scalable and privacy-friendly systems to control physical access to (critical) infrastructure and facilities. While there are some previous works on bb-ABC in the literature, the state of affairs is not satisfactory. Firstly, in existing work the problem is treated in a very abstract way when it comes to the actual type of biometrics. Thus, it does not provide concrete solutions which allow for assessing their practicality when deployed in a real-world setting. Secondly, there is no formal model which rigorously captures bb-ABC systems and their security requirements, making it hard to assess their security guarantees. With this work we overcome these limitations and provide a rigorous formalization of bb-ABC systems. Moreover, we introduce two generic constructions which offer different trade-offs between efficiency and trust assumptions, and provide benchmarks from a concrete instantiation of such a system using facial biometrics. The latter represents a contact-less biometric feature that provides acceptable accuracy and seems particularly suitable to the above use-case.

computer science, information systems

Andrea Flamini,Giada Sciarretta,Mario Scuro,Amir Sharif,Alessandro Tomasi,Silvio Ranise

2024-01-16

Abstract:Verifiable credentials are a digital analogue of physical credentials. Their authenticity and integrity are protected by means of cryptographic techniques, and they can be presented to verifiers to reveal attributes or even predicates about the attributes included in the credential. One way to preserve privacy during presentation consists in selectively disclosing the attributes in a credential. In this paper we present the most widespread cryptographic mechanisms used to enable selective disclosure of attributes identifying two categories: the ones based on hiding commitments - e.g., mdl ISO/IEC 18013-5 - and the ones based on non-interactive zero-knowledge proofs - e.g., BBS signatures. We also include a description of the cryptographic primitives used to design such cryptographic mechanisms. We describe the design of the cryptographic mechanisms and compare them by performing an analysis on their standard maturity in terms of standardization, cryptographic agility and quantum safety, then we compare the features that they support with main focus on the unlinkability of presentations, the ability to create predicate proofs and support for threshold credential issuance. Finally we perform an experimental evaluation based on the Rust open source implementations that we have considered most relevant. In particular we evaluate the size of credentials and presentations built using different cryptographic mechanisms and the time needed to generate and verify them. We also highlight some trade-offs that must be considered in the instantiation of the cryptographic mechanisms.

Cryptography and Security

Caimei Wang,Yan Xiong,Wenjuan Cheng,Wenchao Huang,Huihua Xia,Jianmeng Huang

2017-01-01

Abstract:A selective disclosure attribute-based credential system (SDABCS) can provide a communication mechanism to protect both security and privacy in electronic communication, by issuing a kind of credential with attributes, which the user can disclose parts of attributes. We present a general framework for formally verification of SDABCS with applied Pi calculus, and provide three definitions of relevant security properties. The framework can implement secure communication among the user, service provider and trusted authority. Two important functions are implemented: the first allows the user to receive a credential encoded a list of attributes from a trusted authority; the second allows the user to convince a service provider with the credential. Particularly, the user can selectively reveal parts of the attributes according to the needs of service provider, while not revealing the rest of the attributes. In our experiments, we apply the framework to a concrete security protocol and successfully prove three security properties in the protocol using ProVerif.

Denis Roio,Rebecca Selvaggini,Gabriele Bellini,Andrea D'Intino

2024-08-16

Abstract:Ensuring privacy and protection from issuer corruption in digital identity systems is crucial. We propose a method for selective disclosure and privacy-preserving revocation of digital credentials using second-order Elliptic Curves and Boneh-Lynn-Shacham (BLS) signatures. We make holders able to present proofs of possession of selected credentials without disclosing them, and we protect their presentations from replay attacks. Revocations may be distributed among multiple revocation issuers using publicly verifiable secret sharing (PVSS) and activated only by configurable consensus, ensuring robust protection against issuer corruption. Our system's unique design enables extremely fast revocation checks, even with large revocation lists, leveraging optimized hash map lookups.

Cryptography and Security

Panagiotis Grontas,Aris Pagourtzis,Alexandros Zacharakis,Bingsheng Zhang

DOI: https://doi.org/10.3233/jcs-181270

2021-01-01

Journal of Computer Security

Abstract:This work formalizes Publicly Auditable Conditional Blind Signatures (PACBS), a new cryptographic primitive that allows the verifiable issuance of blind signatures, the validity of which is contingent upon a predicate and decided by a designated verifier. In particular, when a user requests the signing of a message, blinded to protect her privacy, the signer embeds data in the signature that makes it valid if and only if a condition holds. A verifier, identified by a private key, can check the signature and learn the value of the predicate. Auditability mechanisms in the form of non-interactive zero-knowledge proofs are provided, so that a cheating signer cannot issue arbitrary signatures and a cheating verifier cannot ignore the embedded condition. The security properties of this new primitive are defined using cryptographic games. A proof-of-concept construction, based on the Okamoto–Schnorr blind signatures infused with a plaintext equivalence test is presented and its security is analyzed.

Jonathan Heiss,Robert Muth,Frank Pallas,Stefan Tai

DOI: https://doi.org/10.48550/arXiv.2209.09584

2022-09-20

Cryptography and Security

Abstract:Many service systems rely on verifiable identity-related information of their users. Manipulation and unwanted exposure of this privacy-relevant information, however, must at the same time be prevented and avoided. Peer-to-peer blockchain-based decentralization with a smart contract-based execution model and verifiable off-chain computations leveraging zero-knowledge proofs promise to provide the basis for next-generation, non-disclosing credential management solutions. In this paper, we propose a novel credential on-chaining system that ensures blockchain-based transparency while preserving pseudonymity. We present a general model compliant to the W3C verifiable credential recommendation and demonstrate how it can be applied to solve existing problems that require computational identity-related attribute verification. Our zkSNARKs-based reference implementation and evaluation show that, compared to related approaches based on, e.g., CL-signatures, our approach provides significant performance advantages and more flexible proof mechanisms, underpinning our vision of increasingly decentralized, transparent, and trustworthy service systems.

Le Gao,Junzhe Zhang,Jiaxin Yu,Yin Tang,Zhiqiang Zeng

DOI: https://doi.org/10.3934/math.2024302

2024-01-01

AIMS Mathematics

Abstract:The rapid development of blockchain transactions highlights the importance of privacy protection (including anonymity and confidentiality) and underscores the necessity for auditability. Some schemes, such as PGC and Miniledger, support privacy protection and auditability. However, they only offer incomplete privacy protection (i.e., supporting anonymity or confidentiality exclusively). In response to these issues, we propose a scheme that achieves partial anonymity, confidentiality, auditability, and traceability. By integrating a variant of Pedersen commitments and randomizable signatures, we achieve partial anonymity for users and the auditability of transactions, thereby protecting user privacy under audit conditions. Based on the twisted ElGamal encryption algorithm and specially constructed zero-knowledge proofs, we achieve confidentiality of transaction amounts under legal and regulatory conditions. System test results indicate that this scheme effectively meets the above requirements. The feasibility of this scheme is confirmed through system testing, comparative analysis, and security analysis.

mathematics, applied

Zhixin Ren,Enhua Yan,Taowei Chen,Yimin Yu

DOI: https://doi.org/10.1016/j.jksuci.2024.101969

IF: 9.006

2024-03-02

Journal of King Saud University - Computer and Information Sciences

Abstract:Nowadays, the integration of blockchain technology with Ciphertext-Policy Attribute-Based Encryption (CP-ABE) has drawn the researcher attention because it can provide key security auditing and transaction traceability in the context of data sharing. However, in a majority of existing blockchain-based CP-ABE schemes, private keys were still issued by one central authority that would lead to heavy computation, higher transaction costs, and restricted scalability within the decentralized system. To address these challenges, we present an enhancement approach towards utilizing distributed key management service (KMS) and zero-knowledge paradigms. In our improved novel blockchain system model, we define two types of blockchain nodes for the CP-ABE scheme through staking mechanism. Firstly, the proxy re-encryption nodes are introduced to offer secure multi-party management and distribution of the CP-ABE's master secret key, eliminating dependence on a central authority and producing proofs of re-encryption correctness. Secondly, the operator nodes can collect all transactional information in blockchain-based CP-ABE scheme and then send the Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARKs) proofs to verify the batch's integrity via smart contract. Subsequently, we employ the staking economic incentive model with reward determination and slashing in the decentralized blockchain system to ensure network security. Finally, simulation results validate the effectiveness of our proposed scheme in achieving secure and efficient data sharing. Even amidst the pressure of 100 simultaneous transactions, the average response time for a single node remains at an approximate 28 s. Additionally, there is a notable decrease in on-chain gas consumption, with a gas reduction exceeding 61%. Comparative analyses further indicate that our blockchain-based CP-ABE scheme, in conjunction with a decentralized KMS, offers a superior balance between computational efficiency and functional capability.

computer science, information systems

Rui Guo,Kemeng Li,Xiong Li,Yinghui Zhang,Xuelei Li

DOI: https://doi.org/10.1109/JSYST.2022.3148989

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In blockchain-enabled applications, it is difficult to preserve privacy completely because of the openness of each signer's public key. In this article, an efficient multiattribute-based signature scheme with key aggregation (M-ABS-KA) is presented that supports a flexible threshold predicate. This construction aggregates the public keys and provides a compact signature that is verified as a group, which realizes faster batch verification than confirming them individually. Furthermore, both the multisignature scale and the public key length are independent of the number of signers and attributes in this scheme. To the best of our knowledge, this M-ABS-KA scheme is the first multi-ABS protocol with an aggregated public key and fast batch verification. Based on the hardness of the computational Diffie-Hellman problem, it is formally proven that the proposal achieves unforgeability in the random oracle model and enjoys signer privacy. Additionally, the performance is evaluated in theoretical and experimental analyses with other related ABS schemes, and the results show that it is feasible and efficient in storage, bandwidth, and computational cost. Finally, as an illustrative application, we design a framework of the blockchain-enabled electronic health records assessment system based on this presented M-ABS-KA scheme.

Fagen Li,Jiaojiao Hong,Anyembe Andrew Omala

DOI: https://doi.org/10.1007/s11276-016-1317-9

IF: 2.701

2016-01-01

Wireless Networks

Abstract:Pervasive computing environments allow users to get services anytime and anywhere. Security has become a great challenge in pervasive computing environments because of its heterogeneity, openness, mobility and dynamicity. In this paper, we propose two heterogeneous deniable authentication protocols for pervasive computing environments using bilinear pairings. The first protocol allows a sender in a public key infrastructure (PKI) environment to send a message to a receiver in an identity-based cryptography (IBC) environment. The second protocol allows a sender in the IBC environment to send a message to a receiver in the PKI environment. Our protocols admits formal security proof in the random oracle model under the bilinear Diffie–Hellman assumption. In addition, our protocols support batch verification that can speed up the verification of authenticators. The characteristic makes our protocols useful in pervasive computing environments.

Kai Zhang,Junqing Gong,Shaohua Tang,Jie Chen,Xiangxue Li,Haifeng Qian,Zhenfu Cao

DOI: https://doi.org/10.1145/2897845.2897858

2016-01-01

Abstract:In cloud computing, computationally weak users are always willing to outsource costly computations to a cloud, and at the same time they need to check the correctness of the result provided by the cloud. Such activities motivate the occurrence of verifiable computation (VC). Recently, Parno, Raykova and Vaikuntanathan showed any VC protocol can be constructed from an attribute-based encryption (ABE) scheme for a same class of functions. In this paper, we propose two practical and efficient semi-adaptively secure key-policy attribute-based encryption (KP-ABE) schemes with constant-size ciphertexts. The semi-adaptive security requires that the adversary designates the challenge attribute set after it receives public parameters but before it issues any secret key query, which is stronger than selective security guarantee. Our first construction deals with small universe while the second one supports large universe. Both constructions employ the technique underlying the prime-order instantiation of nested dual system groups, which are based on the $d$-linear assumption including SXDH and DLIN assumptions. In order to evaluate the performance, we implement our ABE schemes using $\textsf{Python}$ language in Charm. Compared with previous KP-ABE schemes with constant-size ciphertexts, our constructions achieve shorter ciphertext and secret key sizes, and require low computation costs, especially under the SXDH assumption.

James Alderman,Carlos Cid,Jason Crampton,Christian Janson

DOI: https://doi.org/10.48550/arXiv.1406.5720

2014-06-22

Abstract:The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to a server and to be able to verify that the resulting value is correct. Previous work in this area of Publicly Verifiable Outsourced Computation (PVC) requires a costly pre-processing stage. However, in many practical situations multiple clients will be interested in the same set of core functions and will make use of the same servers. Thus, the pre-processing phase may be performed many more times than is necessary. In this paper we introduce a Key Distribution Center (KDC) that handles the generation and distribution of the keys that are required to support PVC, thereby eliminating this redundancy. We define a number of new security models and functionalities that arise with the introduction of the KDC, and present a construction of such a scheme built upon Key-Policy Attribute-based Encryption.

Cryptography and Security

Chunping Zhu,Xingkai Wang,Zhen Liu

DOI: https://doi.org/10.1007/978-981-97-0942-7_3

2024-01-01

Abstract:In recent years, the rapid development of blockchain-based applications, such as cryptocurrencies, has raised concerns about privacy preservation within the blockchain community. One widely adopted technique for privacy preservation is the use of Stealth Address, which serves as a crucial component of Monero’s Ring Confidential Transaction (RingCT) protocol. Liu et al. (EuroS &P’19) introduced and formalized a new signature variant called the Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key (PDPKS), and gave a systematically definition on the Stealth Address in both syntax and security definition. This signature variant goes beyond defining the necessary functionality but also capturing safety and privacy requirements, by introducing two game-based security definitions respectively. Rather than in a standalone mode, PDPKS protocol is typically executed alongside other secure components within a complex blockchain system to achieve various security objectives. However, achieving security of a comprehensive system requires additional analysis on the entire system, considering mutual impacts among protocols. Hence, it is crucial to introduce a unified and systematic definition that can describe the security in a universally composable (UC) manner. This paper focuses on formalizing the security of PDPKS in the UC framework, which provides a stronger security definition and ensures that the protocol can be designed and analyzed modularly, so that any specific constructions that satisfy the security requirements defined in the proposed UC model can be securely used as building blocks in complex blockchain systems, without any security concerns. To have a concrete construction that satisfies the UC-security proposed in this paper, we conducted an analysis of the conventional game-based security definitions put forth by Liu et al., and proved that the equivalence between the UC-security of PDPKS and the simultaneous satisfaction of the two game-based security definitions. As a result, this implies that the construction proposed by Liu et al. is a UC-secure PDPKS construction. Besides, the proved equivalence also contributes to a general framework wherein any PDPKS construction that satisfies Liu et al.’s security definition will also satisfies UC-security. This framework enables the use of these PDPKS constructions as secure building blocks in the design and implementation of UC-secure blockchain systems.

Jing He,Xiaofeng MA,Dawei Zhang,Feng Peng

DOI: https://doi.org/10.1051/sands/2024013

2024-10-16

Security and Safety

Abstract:Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credential to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers' struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Yuxian Li,Jian Weng,Wei Wu,Ming Li,Yingjiu Li,Haoxin Tu,Yongdong Wu,Robert.H. Deng

DOI: https://doi.org/10.1016/j.jpdc.2023.104721

IF: 4.542

2023-06-03

Journal of Parallel and Distributed Computing

Abstract:Blockchain systems, one of the most popular distributed systems, are well-applied in various scenarios, e.g., logistics and finance. However, traditional blockchain systems suffer from scalability issues. To tackle this issue, Payment Channel Hubs (PCHs) are proposed. Recent efforts, such as A2L (SP'21) and Teechain (SOSP'19), enhance the privacy, reusability, and interoperability properties of PCHs. Nevertheless, these solutions have intrinsic limitations: they rely on trusted hardware or suffer from the deposit lock-in problem. Furthermore, the functionalities of some of these solutions are restricted to fixed-amount payments and do not support multi-party participation. These aforementioned problems limit their capabilities to alleviate blockchain scalability issues. In this paper, we propose PRI, a novel PCH solution that simultaneously guarantees transaction P rivacy (i.e., relationship unlinkability and value confidentiality), deposit R eusability, and blockchain I nteroperability, which can mitigate the aforementioned problems. PRI is constructed by several new building blocks, including (1) an atomic deposit protocol that enforces user and hub to deposit equivalent assets in a shared address for building a fair payment channel; (2) a privacy-preserving deposit certification scheme that leverages the Pointcheval and Sanders signature and non-interactive zero-knowledge proof to resolve the deposit lock-in issue in maintaining payment channels; (3) a range proof which ensures the legality and confidentiality of transaction values. We conduct extensive experimental evaluations of PRI, demonstrating that it improves the state-of-the-art approaches in terms of performance.

computer science, theory & methods

Liang Zhang,Feiyang Qiu,Feng Hao,Haibin Kan

DOI: https://doi.org/10.1109/tifs.2022.3152356

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed key generation (DKG) is widely used in multi-party computation and decentralized applications. DKG has two phases, namely sharing and reconstruction. Most of the prior DKG protocols need at least 2 rounds for the sharing phase, in case some party raises a dispute. The existing 1-round DKG protocol [Fouque et al. , PKC’01], built based on a publicly verifiable secret sharing (PVSS) scheme, assumes a static adversary model and its reconstruction phase requires $O(n^{2})$ communication complexity. Motivated by the observation that a ciphertext-policy attribute-based encryption (CP-ABE) scheme hides secret sharing (SS) in ciphertext, we utilize decentralized CP-ABE to achieve the first adaptively secure 1-round DKG protocol. Firstly, a CP-ABE scheme enables the ciphertexts in DKG to be externally decrypted, making our protocol superior to the PVSS-based DKG protocol in reconstruction. The communication and computation complexities are both lowered to $O(n)$ thanks to the constant-sized decryption key and the proposed batch decryption. The use of CP-ABE also makes our DKG protocol storage-friendly, i.e., the parties store no ciphertext after the sharing phase. Secondly, we add non-interactive zero-knowledge (NIZK) proofs to make the CP-ABE ciphertext publicly verifiable by leveraging the sigma protocol and the Fiat-Shamir heuristic. Thirdly, we demonstrate our protocol’s feasibility by presenting a proof-of-concept implementation over Ethereum, which is used as a public channel and a trustworthy computation platform. The implementation is a non-trivial task due to Ethereum’s incompatibility with the bilinear mapping group.

Li Zhiji,Zhiji Li

DOI: https://doi.org/10.4236/jis.2022.132003

2022-01-01

Journal of Information Security

Abstract:Decentralized identity authentication is generally based on blockchain, with the protection of user privacy as the core appeal. But traditional decentralized credential system requires users to show all the information of the entire credential to the verifier, resulting in unnecessary overexposure of personal information. From the perspective of user privacy, this paper proposed a verifiable credential scheme with selective disclosure based on BLS (Bohen- Lynn-Shacham) aggregate signature. Instead of signing the credentials, we sign the claims in the credentials. When the user needs to present the credential to verifier, the user can select a part of but not all claims to be presented. To reduce the number of signatures of claims after selective disclosure, BLS aggregate signature is achieved to aggregate signatures of claims into one signature. In addition, our scheme also supports the aggregation of credentials from different users. As a result, verifier only needs to verify one signature in the credential to achieve the purpose of batch verification of credentials. We analyze the security of our aggregate signature scheme, which can effectively resist aggregate signature forgery attack and credential theft attack. The simulation results show that our selective disclosure scheme based on BLS aggregate signature is acceptable in terms of verification efficiency, and can reduce the storage cost and communication overhead. As a result, our scheme is suitable for blockchain, which is strict on bandwidth and storage overhead.

Cristina Vilchez Moya,Juan Ramón Bermejo Higuera,Javier Bermejo Higuera,Juan Antonio Sicilia Montalvo

DOI: https://doi.org/10.3390/app13095552

2023-04-29

Applied Sciences

Abstract:The problem of digital identity acquires more relevance every day in the eyes of a society that spends more and more time connected to the Internet. It has evolved throughout its history to reach a decentralized model known as Self-Sovereign Identity (SSI), which finds its natural tools in the blockchain technology and Zero-Knowledge Proofs (ZKPs). ZKPs, in this context, allow users to prove that their credentials are legitimate without revealing more information than is strictly necessary, and constitute one of the most promising areas of applied cryptography. In this work, an application is developed for the study of Zero-Knowledge Proof methods and, specifically, in their application for authentication in public-private key encryption systems. It focuses on the study of three ZKP protocols (Feige-Fiat-Shamir, Guillou-Quisquater, and Schnorr, which rely on the problems of large number factorizations and discrete logarithms for security) in the practical use-case where a prover wants to demonstrate knowledge of a private key for a public key without revealing the key itself. The application allows the user to modify the necessary parameters in each method to achieve a better understanding of their role in their safety and efficiency. Several types of attacks are carried out against the above-mentioned protocols to analyze their degree of security and what recommendations can be made to improve it.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Tao Yang,Liyong Tang,Lingbo Kong,Zhong Chen

DOI: https://doi.org/10.1109/fskd.2012.6233869

2012-01-01

Abstract:Recently, distributed online social networks (OSNs) are developed to address the security and privacy issues in centralized OSNs. Identity based cryptography (IBC) was introduced into distributed OSNs recently for better identity verification and authentication purposes. However, current IBC-based solutions in OSNs could not address the problem of secure private key issuing. In this paper we propose PEKING: a novel Pivacy Enhanced Key IssuiNG scheme for distributed online social networks using IBC. Our scheme adopts key generate center (KGC) and key privacy assistants (PAs) to issue keys to peers securely. In the scheme, PAs can be selected from users' friends. Neither KGC nor PAs can impersonate the users to obtain the private keys. Furthermore, to maintain the security of PAs, we develop a scheme to authenticate PAs using Byzantine fault tolerance protocol. The experimental results show that PEKING performs effectively and efficiently, and is able to support large scale networks.

Jinhua Ma,Shengmin Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3324736

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Bilateral access control model, emerging as a novel paradigm in access control, has garnered extensive deployment within the domain of fog computing. This model offers on-demand data services, enabling the efficient identification of sensitive data without resorting to resource-intensive decryption procedures. Nonetheless, prevailing solutions exhibit impracticalities. Specifically, they fall short in supporting adaptive security, while presuming unwavering trustworthiness of the central authority. In this paper, we introduce a pioneering fine-grained and adaptively secure bilateral access control system through enhancements to the matchmaking attribute-based encryption (MABE) framework. We give a formalized definition of MABE, incorporating desirable security features such as blindness and unlinkability, aimed at capturing potential misconduct by the central authority. We propose a generic construction of MABE, drawing upon attribute-based encryption (ABE) and anonymous credential schemes (ACS), with provable security via formal security reduction in the adaptive model. We present an efficient instantiation of the MABE framework by introducing a practical ACS solution, wherein a cryptographic accumulator is employed to enhance performance. Experimental simulations substantiate that our solution not only has superior functionalities but also demonstrates performance on par with state-of-the-art solutions.