Functional requirements

Humanitarian organizations require the following functionality for an aid-distribution system to be suitable in their context:

Deployment requirements

Humanitarian organizations operate in extreme settings. These conditions constrain the aid-distribution system design space, as well as the technologies that can be used.

Security requirements

Humanitarian organizations are funded by voluntary contributions and there is no guarantee that such contributions will continue long-term [34]. To ensure the continuity and the stability of fundraising, donors must trust the distribution system. To promote trust, aid-distribution systems must include mechanisms to ensure that aid is only distributed to their legitimate recipients in the allocated quantity.

Privacy requirements

In the humanitarian context, recipients of aid rarely have any control or choice over which distribution system they use to get aid. Any leakage of recipient’s personal information, during operation of the program, or afterwards if the humanitarian organization is forced to leave the area without cleaning up the distribution system, can can put the recipients in danger. For example, systems built by Western actors in Afghanistan collected sensitive biometric data. In August 2021, when those actors had to leave the country, these sensitive data were left in the hands of the Taliban, raising concerns that these biometrics could be used to target political opponents [26]. Hence, distribution systems in humanitarian settings must protect recipients’ sensitive data to prevent any harm that could result from leaking these data.

Threat model

With respect to security of aid distribution (S1_limit, S2_legitimate) we assume that the registration and distribution stations are honest. This assumption is essential. A malicious registration station can simply register illegitimate recipients and change their entitlement, and a malicious distribution station could distribute however much aid to whomever it chooses. We assume (potentially illegitimate) recipients are malicious and aim to violate these security properties. For auditability (S3_auditS) we assume a malicious distribution station that tries to pass the audit check, but assume the registration station is honest.

With respect to privacy of registration data, we must trust the registration station (recall, these data are needed to verify eligibility). All other parties – distribution stations, auditors, and other recipients – are considered malicious. For privacy of transaction records and privacy of biometric data (P4_biometrics) we assume that all parties (except the recipient themselves) are malicious.

Paper-based

The ICRC reports that, currently, most aid-distribution systems are paper-based. We identify two kinds of paper-based systems which differ in how the information used at distribution is stored.

In pen-and-list solutions, the information about eligible households, their members, and their entitlement, is stored in one centralized paper list during registration, and this list is passed to the distribution station. When recipients show up at the distribution station to claim their goods, the staff checks their identity to find them on the list. Recipients can sign their names as the evidence of distribution, producing a proof-of-delivery to be used for auditing purposes.

Pen-and-list solutions satisfy the functionality requirements (F1_household, F2_modify, F3_periodic). However, the verification of recipients at the distribution station does not scale (D2_scale). It can take long time to find a name among many others, especially when names are in languages for which the distribution staff are not native or when names are handwritten. In addition, if the list is acquired by third parties at registration, or during or after the distribution, all information about all registered participants would be revealed, breaching the privacy requirements (P2_distribution, P3_auditP).

In pen-and-voucher solutions, the information about eligibility, household membership, and entitlement is decentralized in vouchers given to the recipients. The distribution station takes as input the information from recipients and, upon verification, it delivers the goods. The staff at the distribution station can mark the voucher (e.g., by punching a hole) to show that the aid has been given in the corresponding month.

Compared to using the pen-and-list approach, which enables easy modification of entitlement, the decentralized nature of the pen-and-voucher solution means modification needs the assistance from recipients who may not be willing to cooperate (F2_modify). Moreover, because information about distribution is only recorded on the voucher, auditing would require to physically gather vouchers that would act as proof-of-delivery (S3_auditS). Gathering voucher for auditing can be difficult, e.g., when using punch-cards that are carried by recipients. Even when vouchers can be easily collected, there may be personal information written or printed on the voucher, e.g., to make sure only legitimate recipients can use them (S2_legitimate). This information may breach privacy at auditing (P3_auditP).

Digital solutions

Aiming to improve scalability and auditability of paper-based systems, humanitarian organizations are exploring digital solutions. Digital solutions are easy to scale and can easily provide detailed logs for auditing. Depending on their implementation they can have different drawbacks. Solutions that digitalize vouchers in a straightforward manner suffer from the same problem: anyone with a (digital) voucher can request the goods even though the voucher does not belong to this person (S2_legitimate). To solve this problem, the distribution station needs to authenticate the recipient. For this purpose, a lot of aid-distribution systems integrate Identity Management systems (IdM) [25] and strong authentication solutions such as biometrics. In this way, the distribution station can verify ownership before providing the goods. While this resolves the legitimacy requirement, IdM-based solutions do not fulfill the privacy requirements (P1_registration, P2_distribution, P3_auditP, P4_biometrics): recipients’ behavior is linkable, the distribution station can identify recipients, auditing records can leak personal information, and the central biometric database becomes a single point of failure for privacy.

Decentralization of information into digital tokens

To avoid requiring high levels of trust on a single entity that collects all recipients’ information, we store recipients’ eligibility, entitlement information, and potentially authentication-oriented data on digital tokens that stay with the recipient. We trust tokens to keep this information private.

Using a token enables us to decentralize recipients’ information. This in turn enables the design of a system in which the distribution station does not obtain information that allows to re-identify, or track the movements of, recipients (P2_distribution); and in which we can create auditing information without the need to trust the distribution station (S3_auditS). If the system requires the use of authentication information such as biometrics, these can be stored on the token, avoiding the creation of a centralized database (P4_biometrics). We discuss the use of biometrics in Sect. 8.

The use of digital tokens removes the need to manually check eligibility at distribution (e.g., finding names on a list or checking information on a paper voucher), increasing the efficiency of the system (D2_scale).

Enabling offline use of tokens

To fulfill D1_low, we designed our protocols to work offline. Tokens communicate locally with registration and distribution stations and do not require Internet access. Throughout this paper, we assume that the communication between tokens and stations is encrypted and authenticated. As this can be achieved using standard techniques on top of our protocols, e.g., during session establishment, we omit channel encryption and authentication from the description of our systems.

Modifying information via revocation and re-issuance

Modification of information in a decentralized system is cumbersome, as once information is stored on a recipient’s token the registration station has no access to it. Since modifications are rare (F2_modify), we solve this problem by revoking tokens and re-issuing new ones with up-to-date information. We choose to implement blocklist-based revocation rather than allowlist-based revocation [11] because an allowlist-based method requires the knowledge of all the valid credentials, which may not be feasible in the field. In our design, the token receives the blocklist from the distribution station.

Preventing double dipping using household tags

A household must not be able to obtain aid more than once per round (S1_limit). At first thought, the use of strong authentication at distribution to detect recipients requesting aid more than once may seem to address this requirement. However, this does not prevent different members of the household from requesting the household-allocated aid. To ensure that different members of the same household can not obtain aid more than once per round, tokens output a household- and round-specific pseudorandom tag which they provide to the distribution station upon aid collection. The distribution station stores these tags. If another household member attempts to collect aid they must reveal their household tag for the round. Thus, the distribution station can easily detect the double-dipping attempt. We note that this mechanism does not require identifying recipients.

Non-forgeable auditing combined with crosschecking

Recall that to detect whether there have been goods not actually transferred from the organization to the recipient, the auditor should be able to find inconsistencies between the audit records and the warehouse storage. We model this by enabling the distribution station to prove the total amount of goods it was authorized to deliver to legitimate recipients. To prove this, we require tokens to output non-forgeable records at distribution that can be seen as proofs-of-delivery. These records can be aggregated, becoming a proof-of-delivery of the total amount of goods given out by the station. By comparing the aggregated total to the warehouse records, auditors can detect when the station distributes more goods than those that recipients asked for in the round (e.g., the station distributed also to illegitimate recipients or gave extra goods to legitimate recipients). When doing this comparison, auditors need to consider that numbers may not coincide for legitimate reasons (e.g., goods get broken before delivery, or some goods need to be distributed in an emergency with no time for proof collection). These cases cannot be addressed by technology and need to be resolved using analog means (e.g., with manual annotations) as in the current system. We also note that our auditing solution cannot detect the transfer of goods between legitimate recipients.

Figure 2.

Overview of the token-based scheme omitting the global setup GlobalSetup. From left to right, there are four parties: Registration Station (RS), Token (T), Distribution Station (DS), and Auditor (A). The boxes from top to bottom represent four phases:${\color{Yellow}\text{setup phase}}$, ${\color{Green}\text{registration phase}}$, ${\color{Blue}\text{distribution phase}}$, and ${\color{Red}\text{auditing phase}}$. The circled numbers match steps from Fig. 1 to the scheme. Actions happening outside the scheme are marked in gray.

Show All

Setup Phase

To set up the system, a trusted party generates cryptographic parameters that are shared by all parties. The registration station generates a key pair (sk, pk). Tokens are stateful, and token-specific algorithms update an explicit state st_T that is initialized during setup. The algorithms satisfy the following syntax.

• param ← GlobalSetup(1^ℓ). A trusted party takes as input the security parameter 1^ℓ, and returns the public parameters param. The public parameters param are implicit inputs to all other algorithms. In practice, these parameters would be obtained from well-known recommendations by experts.

• sk, pk ← SetupRS(1^ℓ). The registration station takes as input the security parameter 1^ℓ, and outputs a private-public key pair (sk, pk). The public key pk is known to all parties.

• st_T ← SetupT(1^ℓ, pk). The token takes as input the security parameter 1^ℓ and the public key pk. The token returns an initial state st_T.

Registration Phase

Recipients use a token to register in the system. This token can either be provided to them (e.g., a smart card) or be brought by the recipient (e.g., a smartphone). To start registration, the token sends a registration request to the registration station together with a description of the household (Fig. 2, step ①). If the registration oracle agrees that this household is eligible and the recipient is a member of the household, the oracle outputs an entitlement ent_H (Fig. 2, step ②). The registration station computes the response and sends it back to the token (Fig. 2, step ③). The algorithms satisfy the following syntax.

• request, st_T ← PrepareRegT(st_T). The token takes as input the internal state st_T and outputs request information request with a new state st_T.

• response, v_H ← ProcessRegRS(sk, ent_H, request). The registration station takes as input a private key sk, the entitlement ent_H of the household, and the request request. It outputs a response response, which includes information about entitlement, and a revocation value v_H for this household.

• st_T, ent_H, v_H ← FinishRegT(st_T, response). The token finishes registration by taking as input the token state st_T and the registration response response. It returns a new state st_T, the entitlement ent_H, and the revocation value v_H. For simplicity, we assume that ent_H is a scalar, but our scheme can trivially extend to vectors to support different types of goods.

The registration station stores the mapping between households and corresponding revocation values v_H. To revoke a household’s tokens, the registration station adds v_H to a public blocklist BL.

Distribution Phase

To receive aid, recipients go to the distribution station and start a request using their token. The station sends the current period ϵ and blocklist BL to the token (Fig. 2, step ④). The token ensures the period ϵ is not in the past and verifies that its own revocation value is not in BL. Then, the token sends the entitlement ent_H, a period-specific tag τ_H, and a proof of entitlement π_ent to the distribution station (Fig. 2, step ⑤). The station checks the proof of entitlement to verify that ent_H is correct and that the token has not been blocked (VerifyEntDS); and checks that the tag τ_H has not been seen before. If everything is correct, the station staff hands over the goods to the recipient, and the distribution station stores the tuple (ent_H, τ_H, π_ent) for auditing purposes. The algorithms satisfy the following syntax.

• st_T, (ent_H, τ_H, π_ent) ← ShowupT(st_T, ϵ, BL). The token takes as input its own state st_T, the distribution period ϵ, and a blocklist BL. The algorithm outputs an updated state st_T, the entitlement ent_H, a tag τ_H that is unique for this household in this period, and a proof of the entitlement π_ent.

• ⊤/⊥ ← VerifyEntDS(pk, ϵ, (ent_H, τ_H, π_ent), BL). The distribution station takes as input the public key pk, the period ϵ, the tuple (ent_H, τ_H, π_ent) from the token, and the blocklist BL. The algorithm outputs ⊤ if π_ent verifies, ⊥ otherwise.

Audit Phase

To audit transactions, the auditor requests an audit proof. The distribution station computes the transaction total ent_sum as well as a proof π_aud and sends it to the auditor (GenAudPiDS and Fig. 2, step ⑦). The auditor uses the corresponding blocklist BL to verify the proof π_aud (VerifyAudA). The algorithms satisfy the following syntax.

• ent_sum, π_aud ← GenAudPiDS(ϵ, (${\text{ent}}_H^{(i)}$, $\tau _H^{(i)}$, $\pi _{{\text{ent}}}^{(i)}$)_i, BL). The distribution station takes as input the period ϵ, tuples (${\text{ent}}_H^{(i)}$, $\tau _H^{(i)}$, $\pi _{{\text{ent}}}^{(i)}$)_i and a blocklist BL. It outputs the total entitlement ent_sum and an audit proof π_aud.

• ⊤/⊥ ← VerifyAudA(pk, ϵ, ent_sum, π_aud, BL). The auditor takes as input the period ϵ, the total entitlement ent_sum, the audit proof π_aud, and the blocklist BL that was used for these records. The algorithm outputs ⊤ if π_aud verifies, ⊥ otherwise.

Setup

In the smart card system, the global setup (GlobalSetup) outputs public parameters for the Pedersen commitment scheme and a hash function H. The registration station generates a key pair (sk, pk). The card initiates a last-seen-period counter necessary for P2_distribution (see distribution phase below). The algorithms are implemented as follows:

• param ← GlobalSetup(1^ℓ). The global setup function runs param_PC ← Com.Gen(1^ℓ) to obtain Pedersen commitment parameters and picks a cryptographic hash function H : {0, 1}* → {0, 1}^ℓ. It returns returns param = (param_PC, H).

• sk, pk ← SetupRS(1^ℓ). The registration station takes as input 1^ℓ and runs (sk, pk) ← Gen(1^ℓ) to obtain a signing key pair.

• st_T ← SetupT(1^ℓ, pk). The token takes as input the security parameter 1^ℓ and the public key pk. Let the last-seen-period counter ϵ_last = 0. The function returns the state st_T = (ϵ_last, pk).

Registration

To register the first recipient of a household, the registration station collaborates with the registration oracle to check eligibility and determine the household’s entitlement. (To register additional members for a household see the card-whispering section below.) The smart card does not send an initial request message, so we omit the definition of PrepareRegT.

• response, v_H ← ProcessRegRS(sk, ent_H, request). On input of the private key sk and the entitlement ent_H (request is null), the registration station creates a random revocation value v_H ∈_R {0, 1}^2ℓ. It returns the response response = (sk, ent_H, v_H).

• st_T, ent_H, v_H ← FinishRegT(st_T, response). On input of its state st_T = (ϵ_last, pk) and the response response from the registration station, the card parses the response as response = (sk, ent_H, v_H) and checks that the private key sk corresponds to the public key pk (as set during SetupT). The card generates a random household secret k_H ∈_R {0, 1}^ℓ and returns the updated state st_T = (ϵ_last, pk, sk, k_H, ent_H, v_H).

Card-whispering

Recall that all cards assigned to the same household should be able to request aid (D3_robust). To prevent double-dipping, all these cards must produce the same double-dipping tags (see distribution below). Thus, when registering members of an already registered household we clone a previous registered household member’s card.

To preserve recipient privacy (P1_registration, P2_distribution), the system must limit when, and by whom this protocol can be run. Otherwise, an attacker with a cloned card can simply reproduce double-dipping tags τ_H and thus track a household’s activities. We recommend that cloning can only happen after the card to be cloned successfully authenticates its owner (e.g., using biometrics, see Sect. 8) and before distribution starts. See Appendix D for the full protocol.

Distribution

We now describe how smart cards request aid, and how the distribution station verifies this request. Smart cards use the ϵ_last variable in their state to protect against malicious distribution stations by ensuring that they do not answer requests for past epochs (P2_distribution).

• st_T, (ent_H, τ_H, π_ent) ← ShowupT(st_T , ϵ, BL). The card takes as input its own state st_T, the period ϵ, and the latest blocklist BL provided by the distribution station. It parses st_T as (ϵ_last, pk, sk, k_H, ent_H, v_H). The card checks that it has not been blocked and that the period ϵ is not in the past, i.e., v_H ∉ BL ∧ ϵ_last < ϵ. If either of the checks fails, the card aborts. Otherwise, the card computes a tag τ_H, a commitment Com_ent, and a signature σ_aud,

  $$\begin{align*} {\tau _H} & = {\text{PR}}{{\text{F}}_{{{\text{k}}_H}}}(\varepsilon ) \\ {\text{Co}}{{\text{m}}_{{\text{ent}}}} & = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_H},r} \right),\quad r{ \in _R}{\mathbb{Z}_q} \\ {\sigma _{{\text{aud }}}} & = \operatorname{Sign} \left( {{\text{sk}},{\tau _H}\left\| \varepsilon \right.\left\| {{{\operatorname{Com} }_{{\text{ent}}}}} \right\|{{\text{h}}_{{\text{BL}}}}} \right), \end{align*}$$ View Source\begin{align*} {\tau _H} & = {\text{PR}}{{\text{F}}_{{{\text{k}}_H}}}(\varepsilon ) \\ {\text{Co}}{{\text{m}}_{{\text{ent}}}} & = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_H},r} \right),\quad r{ \in _R}{\mathbb{Z}_q} \\ {\sigma _{{\text{aud }}}} & = \operatorname{Sign} \left( {{\text{sk}},{\tau _H}\left\| \varepsilon \right.\left\| {{{\operatorname{Com} }_{{\text{ent}}}}} \right\|{{\text{h}}_{{\text{BL}}}}} \right), \end{align*} where h_BL = H(BL). Let π_ent = (σ_aud, Com_ent, r). It returns a new state st_T by updating ϵ_last to ϵ, and (ent_H, τ_H, π_ent).

• ⊤/⊥ ← VerifyEntDS(pk, ϵ, (ent_H, τ_H, π_ent), BL). The distribution station parses the proof π_ent = (σ_aud, Com_ent, r) and checks the signature σ_aud by checking that Verify(pk, σ_aud, τ_H║ϵ║Com_ent║h_BL) = ⊤ where h = H(BL). It also verifies the commitment by checking that Com_ent = Commit(ent_H, r). If both checks pass, it returns ⊤, and ⊥ otherwise.

The station additionally checks that it has not seen τ_H before handing out the goods (S1_limit).

Auditing

The distribution station can use the recorded transactions (ent_H, τ_H, π_ent) to create audit proofs for the auditor. We assume all records are valid for ϵ and BL.

• ent_sum, , π_aud ← GenAudPiDS(ϵ, (${\text{ent}}_H^{(i)}$, $\tau _H^{(i)}$, $\pi _{{\text{ent }}}^{(i)}$)_i, BL) The distribution station takes as input all the entries (${\text{ent}}_H^{(i)}$, $\tau _H^{(i)}$, $\pi _{{\text{ent }}}^{(i)}$) in a distribution period ϵ and lets

  $$\begin{equation*}\pi _{{\text{ent}}}^{(i)} = \left( {\sigma _{{\text{aud}}}^{(i)},\varepsilon ,{\text{Com}}_{{\text{ent}}}^{(i)},{r^{(i)}}} \right).\end{equation*}$$ View Source\begin{equation*}\pi _{{\text{ent}}}^{(i)} = \left( {\sigma _{{\text{aud}}}^{(i)},\varepsilon ,{\text{Com}}_{{\text{ent}}}^{(i)},{r^{(i)}}} \right).\end{equation*}

  The distribution station computes the sum of entitlement and the sum of random values

  $$\begin{equation*}{\text{en}}{{\text{t}}_{{\text{sum}}}} = \sum\limits_{i = 1}^{{n_\varepsilon }} {{\text{ ent}}_H^{(i)}} ,\quad {{\text{r}}_{{\text{sum}}}} = \sum\limits_{i = 1}^{{n_\varepsilon }} {{r^{(i)}}} .\end{equation*}$$ View Source\begin{equation*}{\text{en}}{{\text{t}}_{{\text{sum}}}} = \sum\limits_{i = 1}^{{n_\varepsilon }} {{\text{ ent}}_H^{(i)}} ,\quad {{\text{r}}_{{\text{sum}}}} = \sum\limits_{i = 1}^{{n_\varepsilon }} {{r^{(i)}}} .\end{equation*}

  The station returns ent_sum together with an audit proof

  $$\begin{equation*}{\pi _{{\text{aud}}}} = \left( {{{\text{r}}_{{\text{sum}}}},{{\left( {\sigma _{{\text{aud}}}^{(i)},\tau _H^{(i)},{\text{Com}}_{{\text{ent}}}^{(i)}} \right)}_i},{{\text{h}}_{{\text{BL}}}}} \right).\end{equation*}$$ View Source\begin{equation*}{\pi _{{\text{aud}}}} = \left( {{{\text{r}}_{{\text{sum}}}},{{\left( {\sigma _{{\text{aud}}}^{(i)},\tau _H^{(i)},{\text{Com}}_{{\text{ent}}}^{(i)}} \right)}_i},{{\text{h}}_{{\text{BL}}}}} \right).\end{equation*} where h_BL = H(BL).

• ⊤/⊥ ← VerifyAudA(pk, ϵ, ent_sum, π_aud, BL). The auditor takes as input the public key pk, the period ϵ, the total entitlement ent_sum, the auditing proof π_aud, and the blocklist BL. Let π_aud = (r_sum, ($\sigma _{{\text{aud }}}^{(i)}$, $\tau _H^{(i)}$, $\operatorname{Com} _{{\text{ent}}}^{(i)}$))_i, h_BL). The auditor checks:

  • the validity of all signatures in the proof π_aud

    $$\begin{equation*} \top = \operatorname{Verify} \left( {{\text{pk}},\sigma _{{\text{aud}}}^{(i)},\tau _H^{(i)}\left\| \varepsilon \right\|\operatorname{Com} _{{\text{ent}}}^{(i)}\left\| {{{\text{h}}_{{\text{BL}}}}} \right.} \right),\end{equation*}$$ View Source\begin{equation*} \top = \operatorname{Verify} \left( {{\text{pk}},\sigma _{{\text{aud}}}^{(i)},\tau _H^{(i)}\left\| \varepsilon \right\|\operatorname{Com} _{{\text{ent}}}^{(i)}\left\| {{{\text{h}}_{{\text{BL}}}}} \right.} \right),\end{equation*}

  • the uniqueness of all tags $\tau _H^{(i)}$

  • the sum of entitlement and the sum of random numbers match the commitment

    $$\begin{equation*}\prod\limits_{i = 1}^{{n_\varepsilon }} {\operatorname{Com} _{{\text{ent}}}^{(i)}} = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_{{\text{sum}}}},{{\text{r}}_{{\text{sum}}}}} \right)\end{equation*}$$ View Source\begin{equation*}\prod\limits_{i = 1}^{{n_\varepsilon }} {\operatorname{Com} _{{\text{ent}}}^{(i)}} = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_{{\text{sum}}}},{{\text{r}}_{{\text{sum}}}}} \right)\end{equation*}

  • that BL corresponds to h_BL, i.e., h_BL = H(BL).

If all four checks pass, it outputs ⊤ and ⊥ otherwise.

Setup

The GlobalSetup function determines global parameters, including those for the ABC scheme. The registration station acts as the issuer in the ABC scheme, and thus, creates a key pair for it.

• param ← GlobalSetup(1^ℓ). The GlobalSetup algorithm takes as input the security parameter 1^ℓ. It computes three types of parameters. First, it generates for the ABC scheme a type-III bilinear group pair given by ${\operatorname{param} _{{\text{PS}}}} = \left( {e(\cdot,\cdot),{\mathbb{G}_1},{\mathbb{G}_2},{\mathbb{G}_T},q,{g_1}} \right.,\left. {{g_2},{g_T}} \right)$ where g₁, g₂, g_T are generators of the groups ${\mathbb{G}_1}$, ${\mathbb{G}_2}$, ${\mathbb{G}_T}$ of order q respectively. Second, it sets up the Pedersen commitment scheme in ${\mathbb{G}_1}$ with parameters ${\operatorname{param} _{PC}} = \left( {{\mathbb{G}_1},q,{g_1},h} \right)$. Third, it picks a hash function $H:{\{ 0,1\} ^{\ast}} \to {\mathbb{G}_1}$ that maps strings onto the group ${\mathbb{G}_1}$. The application provider publishes all the global parameters param = (param_PS, param_PC, H).

• sk, pk ← SetupRS(1^ℓ). The registration station generates a signing key pair (sk, pk) for the ABC scheme.

• st_T← SetupT(1^ℓ, pk). The phone takes as input 1^ℓ and pk from the registration station. It initiates the last-seen-period counter ϵ_last and phone state st_T = (ϵ_last, pk).

It is essential for privacy that all phones receive the same public key pk. In the following, we assume this is the case.

Registration

Recipients take their smartphones when registering at the registration station. The station associates legitimate recipients to the household with the help from the registration oracle. The station runs the ABC issuance protocol jointly with the phone to issue a credential.

• request, st_T ← PrepareRegT(st_T). The phone takes as input the initial state st_T which it parses as (ϵ_last, pk). It generates a household secret k_H ∈_R ℤ_q. To enable revocation using anonymous blocklisting, the phone picks r_H ∈_R ℤ_q and computes the revocation value ${{\text{v}}_H} = \left( {{g_1},g_1^{{r_H}}} \right)$. The phone creates the first message request_abc in the ABC issuance protocol where k_H and r_H are phone-defined attributes. We assume that request_abc includes a proof that v_H is well formed (see Section B.3.2). The attribute k_H and r_H will be hidden from the registration station (i.e., the issuer). Let st_iss be the phone’s private issuance state, st_T = (ϵ_last, pk, k_H, r_H, st_iss) the updated token state. The phone returns request = (request_abc, v_H) and st_T.

• response, v_H ← ProcessRegRS(sk, ent_H, request). On input of its private key sk, the entitlement ent_H and the issue request request = (request_abc, v_H) from the phone, the registration station checks the validity of the request and that v_H has been correctly formed. Then it uses sk and the phone’s request request_abc to create a preliminary credential on the attributes (k_H, ent_H, r_H) (without learning either k_H or r_H) which it packs into response. It returns response and v_H.

• st_T, ent_H, v_H ← FinishRegT(st_T, response). On input of its internal state st_T = (ϵ_last, pk, k_H, r_H, st_iss) and the registration station’s response response, the phone completes the credential issuance protocol to obtain a credential C on the attributes (k_H, ent_H, r_H) using its issuance state st_iss and response. Then, it verifies that C is a valid credential under pk, and aborts otherwise. The phone returns the new state st_T = (ϵ_last, pk, C, k_H, ent_H, r_H), ent_H, and ${{\text{v}}_H} = \left( {{g_1},g_1^{{r_H}}} \right)$.

Distribution

We next describe the algorithms used during aid collection.

• st_T, (ent_H, τ_H, π_ent) ← ShowupT(st_T , ϵ, BL). The phone takes as input st_T, the period ϵ, and the blocklist BL. Let st_T = (ϵ_last, pk, C, k_H, ent_H, r_H). The phone verifies that ϵ is not in the past, and that it has not made a distribution request in this epoch before, i.e., it checks that ϵ_last <ϵ. Then, the phone checks that it is not blocked, i.e., that for all (h, H) ∈ BL, H ≠ h^rH. If any check fails, the phone aborts. To continue, the phone computes a tag τ_H and a commitment Com_ent:

  $$\begin{gather*} {\tau _H} = H{(\varepsilon )^{{{\text{k}}_H}}}, \\ {\text{Co}}{{\text{m}}_{{\text{ent}}}} = {\text{Commit}}\left( {{\text{para}}{{\text{m}}_{PC}},{\text{en}}{{\text{t}}_H},r} \right),r{ \in _R}{\mathbb{Z}_q}. \end{gather*}$$ View Source\begin{gather*} {\tau _H} = H{(\varepsilon )^{{{\text{k}}_H}}}, \\ {\text{Co}}{{\text{m}}_{{\text{ent}}}} = {\text{Commit}}\left( {{\text{para}}{{\text{m}}_{PC}},{\text{en}}{{\text{t}}_H},r} \right),r{ \in _R}{\mathbb{Z}_q}. \end{gather*}

  Finally, the phone constructs the proof

  $$\begin{align*} {\pi _s} = \operatorname{NIZK} \left\{ {\left( {C,{{\text{k}}_H},{\text{en}}{{\text{t}}_H},{r_H},r} \right):{\tau _H} = H{{(\varepsilon )}^{{{\text{k}}_H}}} \wedge } \right. \\ C\left( {{{\text{k}}_H},{\text{en}}{{\text{t}}_H},{r_H}} \right)\quad \wedge \quad {\operatorname{Com} _{{\text{ent}}}} = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_H},r} \right) \\ \wedge \quad \left. {\forall (h,H) \in {\text{BL}}:H \ne {h^{{r_H}}}} \right\}, \end{align*}$$ View Source\begin{align*} {\pi _s} = \operatorname{NIZK} \left\{ {\left( {C,{{\text{k}}_H},{\text{en}}{{\text{t}}_H},{r_H},r} \right):{\tau _H} = H{{(\varepsilon )}^{{{\text{k}}_H}}} \wedge } \right. \\ C\left( {{{\text{k}}_H},{\text{en}}{{\text{t}}_H},{r_H}} \right)\quad \wedge \quad {\operatorname{Com} _{{\text{ent}}}} = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_H},r} \right) \\ \wedge \quad \left. {\forall (h,H) \in {\text{BL}}:H \ne {h^{{r_H}}}} \right\}, \end{align*} to show that it knows a valid credential C on k_H, ent_H, r_H, that τ_H is correctly constructed, that Com_ent is correctly computed, and that it is not revoked (using the blocklisting protocol [24]). Let st_T = (ϵ, pk, C, k_H, ent_H, r_H) be the new state and π_ent = (π_s, Com_ent, r). It returns st_T and (ent_H, τ_H, π_ent).

• ⊤/⊥ ← VerifyEntDS(pk, ϵ, (ent_H, τ_H, π_ent), BL). On input of the public key pk, the period ϵ, the tuple (ent_H, τ_H, π_ent), and the blocklist BL, the distribution station proceeds as follows. First, it parses π_ent as (π_s, Com_ent, r). Then, it verifies the proof π_s using the public key pk and the provided blocklist BL. If the proof verifies, it returns ⊤, and ⊥ otherwise.

Auditing

Auditing proceeds similarly to the smart card system, except that the auditor checks zero-knowledge proofs. Again, we assume the records are valid for ϵ and BL.

• ent_sum, π_aud ← GenAudPiDS(ϵ, (${\text{ent}}_H^{(i)}$, $\tau _H^{(i)}$, $\pi _{{\text{ent }}}^{(i)}$)_i, BL). The distribution station takes as input all the entries $\left( {{\text{ent}}_H^{(i)},\tau _H^{(i)},\pi _{{\text{ent }}}^{(i)}} \right)$ in a distribution period ϵ and lets

  $$\begin{equation*}\pi _{{\text{ent}}}^{(i)} = \left( {\pi _s^{(i)},\operatorname{Com} _{{\text{ent}}}^{(i)},{r^{(i)}}} \right).\end{equation*}$$ View Source\begin{equation*}\pi _{{\text{ent}}}^{(i)} = \left( {\pi _s^{(i)},\operatorname{Com} _{{\text{ent}}}^{(i)},{r^{(i)}}} \right).\end{equation*}

  The distribution station computes the sum of entitlement ${\text{en}}{{\text{t}}_{{\text{sum}}}} = \sum\nolimits_{i = 1}^{{n_\varepsilon }} {{\text{ent }}_H^{(i)}}$ and the randomizer ${{\text{r}}_{{\text{sum}}}} = \sum\nolimits_{i = 1}^{{n_\varepsilon }} {{r^{(i)}}}$. It returns ent_sum and an audit proof

  $$\begin{equation*}{\pi _{{\text{aud}}}} = \left( {{{\text{r}}_{{\text{sum}}}},{{\left( {\pi _s^{(i)},\tau _H^{(i)},\operatorname{Com} _{{\text{ent}}}^{(i)}} \right)}_i}} \right).\end{equation*}$$ View Source\begin{equation*}{\pi _{{\text{aud}}}} = \left( {{{\text{r}}_{{\text{sum}}}},{{\left( {\pi _s^{(i)},\tau _H^{(i)},\operatorname{Com} _{{\text{ent}}}^{(i)}} \right)}_i}} \right).\end{equation*}

• ⊤/⊥ ← VerifyAudA(pk, ϵ, ent_sum, π_aud, BL). The auditor takes as input the period ϵ, the total entitlement ent_sum, the auditing proof π_aud, and the blocklist BL that was used in ϵ. Let ${\pi _{{\text{aud}}}} = \left( {{{\text{r}}_{{\text{sum}}}},{{\left( {\pi _s^{(i)},\tau _H^{(i)},{\text{Com}}_{{\text{ent}}}^{(i)}} \right)}_i}} \right)$. The auditor checks the validity of all the proofs $\pi _s^{(i)}$ with respect to $\tau _H^{(i)}$, $\operatorname{Com} _{{\text{ent}}}^{(i)}$ and the blocklist BL; checks the uniqueness of all tags $\tau _H^{(i)}$; and checks that the sum of entitlement and the sum of random numbers match the commitment: $\prod\nolimits_i {\operatorname{Com} _{{\text{ent}}}^{(i)}} = \operatorname{Commit} \left( {{\text{en}}{{\text{t}}_{{\text{sum}}}},{{\text{r}}_{{\text{sum}}}}} \right)$. If all checks pass, it outputs ⊤, and ⊥ otherwise.