Anonymous Credentials

Anonymous Credentials
Jan Camenisch
IBM Research – Zurich
@jancamenisch
www.camenisch.org/eprivacy
August 11, 2015
© 2014 IBM Corporation
Houston, we
have a problem!
ᄅ
2
© 2014 IBM Corporation
Houston, we
have a problem!
ᄅ
“Buzz Aldrin's footprints are still up there”
(Robin Wilton)
3
© 2014 IBM Corporation
Computers don't forget
! Data storage ever cheaper → “store by default”
– also collateral collection, surveillance cameras, Google Street
View with wireless traffic, Apple location history,...
! Data mining ever better
– self-training algorithms cleverer than their designers
– not just trend detection, even prediction, e.g., flu
pandemics, ad clicks, purchases,…
– what about health insurance, criminal behavior?
! The world as we know it
– Humans forget most things too quickly
– Paper collects dust in drawers
We build apps with the paper-based world in mind :-(
– if it works it works
– security too often still an afterthought
– implementors too often have no crypto education
4
© 2014 IBM Corporation
Where's all my data?
The ways of data are hard to understand
! Devices, operating systems, & apps are getting
more complex and intertwined
– Mashups, Ad networks
– Not visible to users, and experts
– Data processing changes constantly
! And the cloud makes it worse...
– Processing machines can be moved around w/out borders
Far too easy to lose (control over) data and to collect data!
5
© 2014 IBM Corporation
You have no privacy, get over it
.....?!?
… “The NSA has all our data anyway”
… “I have nothing to hide!”
! Huge security problem!
– Millions of hacked passwords (100'000 followers $115 - 2013)
– Stolen identities ($150 - 2005, $15 - 2009, $5 – 2013)
! Difficult to put figures down
– Credit card fraud
– Spam & marketing
– Manipulating stock ratings, etc..
– (Industrial) espionage
! We know secret services can do it easily, but they are not the only ones
– but this is not about homeland security
– and there are limits to the degree of protection that one can achieve
! last but not least: data are the new money, so they need to be protected!
6
© 2014 IBM Corporation
Privacy – a lost case?
No, but we need paradigm shift &
build stuff for the moon
rather than the sandy beach!
7
© 2014 IBM Corporation
Need to protect our data!
! devices, sensors, etc cannot all be physically protected
–
–
authentication of all devices
authentication of all data
...makes it even worse :-(
! data cannot be controlled
–
–
–
8
minimize information
encrypt information
attach usage policies to each bit
© 2014 IBM Corporation
So what can we do
! Legal approach
– Regulate what information can be collected
– How to collect it
– How to use and protect it
– Issue fines for misbehavior
– Very different for different countries and cultures
! Technological approach
– Protect data by encryption
– Govern data by policies
– Minimize data that needs to be used
August 11, 2015
© 2014 IBM Corporation
of course there are limits...
! tracing is so easy
–
each piece of hardware is quite unique
–
log files everywhere
! …. but that's not the point!
– it's not about NSA et al.
–
active vs. passive “adversaries”
..... still, privacy
August 11, 2015
by design!
© 2014 IBM Corporation
Our Vision
In the Information Society, users can act
and interact in a safe and secure way
while retaining control of their private
spheres.
© 2014 IBM Corporation
PETs Can Help!
Privacy, Identity, and Trust Mgmt Built-In Everywhere!
! Network Layer Anonymity
– ... in mobile phone networks
– ... in the Future Internet as currently discussed
– ... access points for ID cards
! Identification Layer
– Access control & authorization
! Application Layer
– “Standard” e-Commerce
– Specific Apps, e.g., eVoting, OT, PIR, .....
– Web 2.0, e.g., Facebook, Twitter, Wikis, ....
12
© 2014 IBM Corporation
Privacy at the Authentication Layer
Authentication without identification
13
August 11, 2015
© 2014 IBM Corporation
What is an identity & identity management?
language skills
work
marital status
phone number
salary
credit card number
shopping
hobbies
public
authority
name
address
birth date
insurance
nick name
leisure
blood group
health status
health care
! ID: set of attributes shared w/ someone
– attributes are not static: user & party can add
! ID Management: two things to make ID useful
– authentication means
– means to transport attributes between parties
14
August 11, 2015
© 2014 IBM Corporation
Let's see a scenario
15
August 11, 2015
© 2014 IBM Corporation
Alice wants to watch a movie at Mplex
I wish to see
Alice in Wonderland
Alice
Movie Streaming Service
© 2014 IBM Corporation
Alice wants to watch a movie at Mplex
You need:
- subscription
- be older than 12
Alice
Movie Streaming Service
© 2014 IBM Corporation
Watching the movie with the traditional solution
ok, here's
- my eID
- my subscription
Alice
Movie Streaming Service
© 2014 IBM Corporation
Watching the movie with the traditional solution
Aha, you are
- Alice Doe
- born on Dec 12, 1975
- 7 Waterdrive
- CH 8003 Zurich
- Married
- Expires Aug 4, 2018
Mplex Customer
- #1029347
- Premium Subscription
- Expires Jan 13, 2016
Alice
Movie Streaming Service
© 2014 IBM Corporation
Watching the movie with the traditional solution
This is a privacy and security problem!
• - identity theft
• - profiling
• - discrimination
Aha, you are
- Alice Doe
- born on Dec 12, 1975
- 7 Waterdrive
- CH 8003 Zurich
- Married
- Expires Aug 4, 2018
Mplex Customer
- #1029347
- Premium Subscription
- Expires Jan 13, 2016
Alice
Movie Streaming Service
© 2014 IBM Corporation
Watching the movie with the traditional solution
With OpenID and similar solution, e.g.,
log-in with Facebook
Alice
Movie Streaming Service
21
August 11, 2015
© 2014 IBM Corporation
Watching the movie with the traditional solution
With OpenID and similar solution, e.g.,
log-in with Facebook
Aha, Alice is watching a
12+ movie
Alice
Movie Streaming Service
22
August 11, 2015
© 2014 IBM Corporation
Watching the movie with the traditional solution
With OpenID and similar solution, e.g.,
log-in with Facebook
Aha, Alice is watching a
12+ movie
Aha, you are
- [email protected]
- born on Dec 12, 1975
- Alice's friends are ....
- Alice's public profile is ...
Mplex Customer
- #1029347
- Premium Subscription
- Expires Jan 13, 2016
Alice
Movie Streaming Service
23
August 11, 2015
© 2014 IBM Corporation
Identity Mixer solves this.
When Alice authenticates to the Movie Streaming
Service with Identity Mixer, all the services learns is
that Alice
has a subscription
is older than 12
and no more.
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
Like PKI, but better:
! One secret Identity (secret key)
! Many Public Pseudonyms (public keys)
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
Like PKI, but better:
! Issuing a credential
Name = Alice Doe
Birth date = April 3, 1997
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
27
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
I wish to see
Alice in Wonderland
You need:
- subscription
- be older than 12
Alice
Movie Streaming Service
28
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
29
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
I wish to see
Alice in Wonderland
You need:
- subscription
- be older than 12
Alice
Movie Streaming Service
30
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
Like PKI
! but does not send credential
! only minimal disclosure
Alice
- valid subscription
- eID with age ≥ 12
Movie Streaming Service
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with IBM Identity Mixer
Like PKI
! but does not send credential
! only minimal disclosure
(Public Verification Key
of issuer)
Aha, you are
- older than 12
- have a subscription
Alice
Movie Streaming Service
32
August 11, 2015
© 2014 IBM Corporation
Advantages of Identity Mixer
! For Users: privacy
– minimizing disclosure of personal data
– keeping their identities safe
– pseudonymous/anonymous access
! For Service Providers: security, accountability, and compliance
– avoiding the risk of loosing personal data if it gets stolen
– compliance with legislation (access control rules, personal data protection)
– strong authentication (cryptographic proofs replace usernames/passwords)
– user identification if required (under certain circumstances)
33
© 2014 IBM Corporation
Demo
Try yourself at www.ibm.biz/identitymixer on Privacy Day (January 28)
© 2014 IBM Corporation
Further Concepts
35
August 11, 2015
© 2014 IBM Corporation
Concept – Inspection
TTP
• If car is damaged: ID with insurance or gov't needs be retrieved
• Similarly: verifiably encrypt any certified attribute (optional)
• TTP is off-line & can be distributed to lessen trust
36
August 11, 2015
© 2014 IBM Corporation
Concept – Revocation
Revocation authority parameters (public key)
Revocation info
• If Alice was speeding, license needs to be revoked!
• There are many different use cases and many solutions
• Variants of CRL work (using crypto to maintain anonymity)
• Accumulators
• Signing entries & Proof, ....
• Limited validity – certs need to be updated
• ... For proving age, a revoked driver's license still works
37
August 11, 2015
© 2014 IBM Corporation
Concept – Usage Limitation
Degree of anonymity can be limited:
! If Alice and Eve are on-line at the same time, they are caught!
! Use Limitation – anonymous until:
– If Alice used certs > 100 times total...
– ... or > 10'000 times with Bob
! Alice's cert can be bound to hardware token (e.g., TPM)
38
August 11, 2015
© 2014 IBM Corporation
A couple of use cases
39
August 11, 2015
© 2014 IBM Corporation
Age verification
Proving 12+, 18+, 21+ without disclosing the exact date of birth –
privacy and compliance with age-related legislation
! Movie streaming services
! Gaming industry
! Online gambling platforms
! Dating websites
! Social benefits for young/old people
40
© 2014 IBM Corporation
Healthcare
Anonymous treatment of patients (while enabling access control and
payments)
! Anonymous access to patients' records
– accessing medical test results
! Anonymous consultations with specialists
– online chat with a psychologist
– online consultation with IBM Watson
! Eligibility for the premium health insurance
– proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight, height, or BMI
41
© 2014 IBM Corporation
Subscriptions, membership
Who accesses which data at which time can reveal sensitive information
about the users (their research strategy, location, habits, etc.)
! Patent databases
! DNA databases
! News/Journals/Magazines
! Transportation: tickets, toll roads
! Loyalty programs
???
42
© 2014 IBM Corporation
Polls, recommendation platforms
Providing anonymous, but at the same time legitimate feedback
! Online polls
– applying different restrictions on the poll participants: location, citizenship
! Rating and feedback platforms
– anonymous feedback for a course only from the students who attended it
– wikis
– recommendation platforms
43
© 2014 IBM Corporation
Towards Realizing Anonymous Creds
44
August 11, 2015
© 2014 IBM Corporation
An Software Stack View on Identity Mixer
application
layer
resource request
presentation policy
presentation token
Wallet
AC & app logic
store
policy
layer
crypto
layer
policy credential
matcher
evidence gen.
orchestration
store
credential mgr
Sig Enc ... Com ... ZKP
policy token
matcher
store
evidence verif.
orchestration
token mgr
Sig Enc ... Com ... ZKP
© 2014 IBM Corporation
Privacy-protecting authentication with Privacy ABCs
(Issuer parameter)
Credential specification
Pseudonym
Credential
12 < age
Presentation token
Presentation policy
(Verifier paramet
46
August 11, 2015
© 2014 IBM Corporation
The Policy Layer – An Example: Presentation policy
<abc:PresentationPolicy PolicyUID="https://movies...com/presentationpolicies/movie1">
<abc:Message>
<abc:ApplicationData> Terms and Conditions </abc:ApplicationData>
</abc:Message>
<abc:Credential Alias="#voucher">
<abc:CredentialSpecAlternatives>
<abc:CredentialSpecUID>https://movies.....com/specifications/voucher</abc:CredentialSpecUID>
</abc:CredentialSpecAlternatives>
<abc:IssuerAlternatives>
<abc:IssuerParametersUID>https://movies....com/parameters/voucher</abc:IssuerParametersUID>
</abc:IssuerAlternatives>
</abc:Credential>
<abc:AttributePredicate Function="urn:oasis:names:tc:xacml:1.0:function:dateTime-geq">
<abc:Attribute CredentialAlias="#voucher" AttributeType="Expires" />
<abc:ConstantValue>2014-06-17T14:06:00Z</abc:ConstantValue>
</abc:AttributePredicate>
presentation policy
</abc:PresentationPolicy>
presentation token
User
47
August 11, 2015
Verifier
© 2014 IBM Corporation
So let's look at the cryptography
48
August 11, 2015
© 2014 IBM Corporation
Required Technologies
Signature
Schemes
Encryption
Schemes
Zero-Knowledge
Proofs
Commitment
Schemes
..... challenge is to do all this efficiently!
August 11, 2015
© 2014 IBM Corporation
zero-knowledge proofs
50
August 11, 2015
© 2014 IBM Corporation
Zero-Knowledge Proofs
! interactive proof between a prover and a verifier about the prover's knowledge
Commitment
Challenge
Response
! properties:
zero-knowledge
verifier learns nothing about the prover's secret
proof of knowledge (soundness)
prover can convince verifier only if she knows the secret
completeness
if prover knows the secret she can always convince the verifier
51
August 11, 2015
© 2014 IBM Corporation
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Given group <g> and element y Є <g> .
Prover wants to convince verifier that she knows x s.t. y = gx
such that verifier only learns y and g.
Prover:
x
random r
t := gr
t
c
s := r - cx
y, g
Verifier:
s
random c
t = g s yc ?
notation: PK{(α): y = gα }
52
August 11, 2015
© 2014 IBM Corporation
Zero Knowledge Proofs
Proof of knowledge: if a prover can successfully convince a verifier, then the secret need to be
extractable.
Prover might do protocol computation in any way it wants & we cannot analyse code.
Thought experiment:
! Assume we have prover as a black box → we can reset and rerun prover
! Need to show how secret can be extracted via protocol interface
x
t
t
c
c'
x
s
t = gs yc = gs' yc'
→
yc'-c = gs-s'
→
y = g(s-s')/(c'-c)
→
August 11, 2015
s'
x = (s-s')/(c'-c) mod q
© 2014 IBM Corporation
Zero Knowledge Proofs: Security
Zero-knowledge property:
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea: One can simulate whatever Bob “sees”.
Choose random c', s'
compute t := g
s' c'
y
if c = c' send s' = s ,
otherwise restart
t
c
s
Problem: if domain of c too large, success probability becomes too small
August 11, 2015
© 2014 IBM Corporation
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
One way to modify protocol to get large domain c:
Prover:
x
random r
t := gr
h = H(c,v) ?
s := r - cx
y, g
Verifier:
h
t
random c,v
h := H(c,v)
c,v
s
t = g s yc ?
notation: PK{(α): y = gα }
55
August 11, 2015
© 2014 IBM Corporation
Zero Knowledge Proofs: Security
One way to modify protocol to get large domain c:
Choose random c', s'
compute t' := gs' yc'
after having received c
“reboot” verifier
Choose random s
compute t := gs yc
send s
h
t'
c,v
h
t
c,v
s
August 11, 2015
© 2014 IBM Corporation
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Given group <g> and element y Є <g> .
Prover wants to convince verifier that she knows x s.t. y = gx
such that verifier only learns y and g.
Prover:
x
random r
t := gr
t
c
s := r - cx
y, g
Verifier:
s
random c
t = g s yc ?
notation: PK{(α): y = gα }
57
August 11, 2015
© 2014 IBM Corporation
From Protocols To Signatures
Signature SPK{(α): y = gα }(m):
Signing a message m:
- chose random r Є Zq and
- compute c := H(gr||m) = H(t||m)
s := r - cx mod (q)
- output
(c,s)
Verifying a signature (c,s) on a message m:
- check c = H(gs yc||m) ?
58
↔
t = gs y c ?
Security:
- underlying protocol is zero-knowledge proof of knowledge
- hash function H(.) behaves as a “random oracle.”
August 11, 2015
© 2014 IBM Corporation
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Many Exponents:
PK{(α,β,γ,δ): y = gα hβzγkδuβ }
Logical combinations:
PK{(α,β): y = gα ∧ z = gβ ∧ u = gβhα }
PK{(α,β): y = gα ∨ z = gβ }
Intervals and groups of different order (under SRSA):
PK{(α): y = gα ∧ α Є [A,B] }
PK{(α): y = gα ∧ z = gα ∧ α Є [0,min{ord(g),ord(g)}] }
Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures):
SPK{(α): y = gα }(m)
59
August 11, 2015
© 2014 IBM Corporation
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does
PK{(α1,β1,α2,β2, α3, β3):
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3∧ C3 = gα1gα2hβ3 }
mean?
→ Prover knows values α1, β1, α2, β2, β3 such that
C1= gα1hβ1
, C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
→ α3 = a1 + a2 (mod q)
And what about:
PK{(α1,...,β3):
→
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = gα1 (g5)α2hβ3 }
C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
→ a3 = a1 + 5 a2
60
August 11, 2015
(mod q)
© 2014 IBM Corporation
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = C2α1hβ3 } mean?
PK{(α1,..,β3):
→ Prover knows values α1, β1, α2, β2, β3 such that
C1= gα1hβ1
, C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2·α1hβ3+β2·α1
C3 = gα2·α1 hβ3+β2·α1 = gα3 hβ3'
→ a3 = a1 · a2 (mod q)
And what about
PK{(α1,β1 β2):
C1= gα1hβ1 ∧
C2= gα2hβ2 ∧ C2 = C1α1hβ2 }
→ a2 = a12 (mod q)
61
August 11, 2015
© 2014 IBM Corporation
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does
PK{(α1,..,β2):
C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ g = (C2/C1)α1hβ2 } mean?
→ Prover knows values α, β1, β2 such that
C1= gα1hβ1
g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
→
g1/α1 = C2 g-α1h-β1 hβ2/α1
C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
62
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with Privacy ABCs
commitment scheme
signature scheme
Alice
zero-knowledge proofs
63
August 11, 2015
© 2014 IBM Corporation
signature schemes
64
August 11, 2015
© 2014 IBM Corporation
Signature Scheme: Functionality
Key Generation
August 11, 2015
© 2014 IBM Corporation
Signature Scheme: Functionality
Signing
(m1,..., mk)
σ = sig((m1,..., mk), )
August 11, 2015
© 2014 IBM Corporation
Signature Scheme: Functionality
Verification
(m1,..., mk)
σ
σ = sig((m1,..., mk), )
ver(σ,(m1,..., mk), ) = true
August 11, 2015
© 2014 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
August 11, 2015
σ1
© 2014 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
ml
August 11, 2015
σ1
σl
© 2014 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
ml
σ1
σl
σ' and m'≠ mi s.t.
ver(σ', m',
August 11, 2015
) = true
© 2014 IBM Corporation
Signature Scheme: Security
Unforgeability under Adaptive
Chosen Message Attack
m1
ml
σ1
σl
σ' and m'≠ mi s.t.
ver(σ', m',
August 11, 2015
) = true
© 2014 IBM Corporation
RSA Signature Scheme – for reference
Rivest, Shamir, and Adlemann 1978
Secret Key: two random primes p and q
Public Key: n := pq, prime e,
and collision-free hash function
H: {0,1}* -> {0,1}ℓ
Computing signature on a message m Є {0,1}*
d := 1/e mod (p-1)(q-1)
s := H(m) d mod n
Verification of signature s on a message m Є {0,1}*
se = H(m)
Correctness: se = (H(m)d)e = H(m)d·e = H(m)
72
August 11, 2015
(mod n)
(mod n)
© 2014 IBM Corporation
RSA Signature Scheme – for reference
Verification signature on a message m Є {0,1}*
se := H(m)
(mod n)
Wanna do proof of knowledge of signature on a message, e.g.,
PK{ (m,s): se = H(m) (mod n) }
But this is not a valid proof expression!!!! :-(
73
August 11, 2015
© 2014 IBM Corporation
CL-Signature Scheme
Public key of signer: RSA modulus n and ai, b, d Є QRn,
Secret key: factors of n
To sign k messages m1, ..., mk Є {0,1}ℓ :
●
choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s ≈ n
●
compute c :
c = (d / (a m1·...· a mk bs ))1/e mod n
1
●
74
k
signature is (c,e,s)
August 11, 2015
© 2014 IBM Corporation
CL-Signature Scheme
To verify a signature (c,e,s) on messages m1, ..., mk:
●
m1, ..., mk Є {0,1}ℓ:
●
e > 2ℓ+1
●
d = ce a
1
m1
·...· a
k
mk
bs mod n
Theorem: Signature scheme is secure against adaptively
chosen message attacks under Strong RSA assumption.
75
August 11, 2015
© 2014 IBM Corporation
Proving Knowledge of a CL-signature
Recall:
d = ce a1m1a2m2 bs mod n
Observe:
! Let c' = c btmod n with randomly chosen t
! Then d = c'e a1m1a2m2 bs-et (mod n), i.e.,
(c',e, s* = s-et) is also signature on m1 and m2
To prove knowledge of signature (c',e, s*) on m2 and some m1
! provide c'
! PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ ∧ µ Є {0,1}ℓ ∧ ε > 2ℓ+1 }
→ proves d := c'ε a1µ1 a2m2b σ
76
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with Privacy ABCs
commitment scheme
signature scheme
Alice
zero-knowledge proofs
77
August 11, 2015
© 2014 IBM Corporation
commitment scheme
78
August 11, 2015
© 2014 IBM Corporation
Commitment Scheme: Functionality
m
m
m, 2-36-17
August 11, 2015
?
mє
m
© 2014 IBM Corporation
Commitment Scheme: Security
Binding
m, 2-36-17
m', 3-21-11
August 11, 2015
?
m є
m
?
m' є
m
© 2014 IBM Corporation
Commitment Scheme: Security
Binding
m, 2-36-17
m', 3-21-11
August 11, 2015
?
m є
m
?
m' є
m
© 2014 IBM Corporation
Commitment Scheme: Security
Hiding: for all message m, m'
m
m'
August 11, 2015
m
m'
© 2014 IBM Corporation
Commitment Scheme: Security
Hiding: for all message m, m'
m
m'
August 11, 2015
m
m'
?
m
m'
m
m'
© 2014 IBM Corporation
Commitment Schemes
Group G = <g> = <h> of order q
To commit to element x Є Zq:
• Pedersen: perfectly hiding, computationally binding
choose r Є Zq
and compute c = gxhr
• ElGamal: computationally hiding, perfectly binding:
choose r Є Zq
and compute c = (gxhr, gr)
To open commitment:
• reveal x and r to verifier
• verifier checks if c = gxhr
August 11, 2015
© 2014 IBM Corporation
Pedersen's Commitment Scheme
Pedersen's Scheme:
Choose r Є Zq
and compute c = gxhr
Perfectly hiding:
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur')+u(r-r')
= gx+ur'hr-r'
for any r'!
I.e., given c and x' here exist r' such that c = gx'hr'
Computationally binding:
Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr
Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q
August 11, 2015
© 2014 IBM Corporation
Commitment Scheme: Extended Features
Proof of Knowledge of Contents
m
Proof
m
true
Proof of Relations among Contents
m, m'
Proof
m = 2 •m'
August 11, 2015
m m'
true
© 2014 IBM Corporation
Commitment Scheme: Extended Features
Let C1 = gmhr and C' = gm'hr then:
m
Proof
m
true
PK{(α,β): C = gβhα }
m, m'
Proof
m = 2 •m'
PK{(α,β,γ):
August 11, 2015
m m'
true
C' = gβhα ⋀ C = (g2)βhγ }
© 2014 IBM Corporation
putting things together
88
August 11, 2015
© 2014 IBM Corporation
Realizing Pseudonyms and Key Binding
! Let G = <g> = <h> of order q
! User's secret key: random sk ∈ Zq
! To compute a pseudonym Nym
– Choose random r ∈ Zq
– Compute Nym = gskhr
89
August 11, 2015
© 2014 IBM Corporation
Privacy-protecting authentication with Privacy ABCs
Like PKI, but better:
! Issuing a credential
Name = Alice Doe
Birth date = April 3, 1997
Concept: credentials
90
August 11, 2015
© 2014 IBM Corporation
Realizing Issuance of Credential
Recall: a signature (c,e,s) on messages m1, ..., mk:
– m1, ..., mk Є {0,1}ℓ:
– e > 2ℓ+1
e
–d = c a
m1
·...· a
1
mk
k
bs mod n
Problem: Pseudonym not in message space!
Solution: Sign secret key instead
→ d = ce a
1
sk
·a
2
m2
·...· a
mk
k
bs mod n
New Problem: how can we sign a secret message?
91
August 11, 2015
© 2014 IBM Corporation
Signature Scheme: Signing Hidden Messages
( m1
m ,... , m
mj , mj+1,..., mk)
σ
ver(σ,(m1,..., mk), ) = true
mj , mj+1,..., mk), )
m ,... , m
σ = sig((( m1
Verification remains unchanged!
Security requirements basically the same as for signatures, but
• signer should not learn any information about m1, ..., mj
• Forgery w.r.t. message clear parts and opening of commitments
August 11, 2015
© 2014 IBM Corporation
Realizing Issuance of Credential
n, ai, b, d
C=a
1
sk
bs'
August 11, 2015
© 2014 IBM Corporation
Realizing Issuance of Credential
σ' }
{(
K
P
C=a
1
sk
σ
,
1
µ
'
):
C
C
n, ai, b, d
µ1 b
a
= 1
e
m
a
,n
bs'
August 11, 2015
© 2014 IBM Corporation
Realizing Issuance of Credential
n, ai, b, d
σ' }
{(
K
P
C=a
1
sk
σ
,
1
µ
'
):
C
C
µ1 b
a
= 1
e
m
a
,n
”)
s
,
e
,
c
(
c = (d/C a
name
2
bs”)1/e mod n
bs'
August 11, 2015
© 2014 IBM Corporation
Realizing Issuance of Credential
n, ai, b, d
σ' }
{(
K
P
C=a
1
sk
σ
,
1
µ
'
):
C
C
µ1 b
a
= 1
e
m
a
,n
”)
s
,
e
,
c
(
c = (d/C a
name
2
bs”)1/e mod n
bs'
d = ce a
August 11, 2015
sk
1
a
2
name
bs” + s' (mod n)
© 2014 IBM Corporation
Realizing Issuance of Credential
Want to sign w.r.t. Nym = gskhr
August 11, 2015
n, ai, b, d
© 2014 IBM Corporation
Realizing Issuance of Credential
Want to sign w.r.t. Nym = gskhr
ρ ⋀
µ1 h
=g
{(µ
K
P
1
n, ai, b, d
σ' }
m
m
a
y
n
N
,
:
m
)
y
,σ'
N
ρ
,
C,
C
ρ b
1
µ a2
a
= 1
stores Nym, name
e
c = (d/C a
name
3
bs”)1/e mod n
sk r
Nym = g h
C=a
1
sk
a
r
2
August 11, 2015
bs'
d = ce a
sk
1
a ra
2 3
name
bs” + s' (mod n)
© 2014 IBM Corporation
An Example Scenario
91
October 28, 2014
© 2013 IBM Corporation
Polling: Scenario and Requirements
Scenario:
! Pollster(s) and a number of users
! Only registered user (e.g., students who took a course) can voice
opinion (e.g., course evaluation)
! User can voice opinion only once (subsequent attempts are
dropped)
! Users want to be anonymous
! A user's opinion in different polls must not be linkable
August 11, 2015
© 2014 IBM Corporation
Polling – Solution: Registration
(n,a1,a2,b,d)
! User generates pseudonym (ID for registration)
! User obtains credential on pseudonym stating that she is eligible
for polls, i.e., (c,e,s)
d = ce a
sk
1
a
2
r
a
3
attr
bs (mod n)
! Credential can contain attributes (e.g., course ID) about her
August 11, 2015
© 2014 IBM Corporation
Polling – Solution: Submit Poll
1. User generates domain pseudonym, domain = pollID
2. User transforms credential
3. Transformed credential with a subset of the attributes
– User is anonymous and unlinkable
– Multiple opinions are detected because uniqueness of domain
pseudonym
August 11, 2015
© 2014 IBM Corporation
Polling – Solution: Polling
1. Domain pseudonym: P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2. User transforms credential:
– c' = c bs'mod n with randomly chosen s'
– SPK{(ε, µ1, µ2, µ3,σ) : P = gdµ1 ⋀ d := c'ε a1µ1 a2µ2a3µ3b σ (mod n)
⋀ µ1, µ2, µ3 Є {0,1}ℓ ⋀ ε > 2ℓ+1 }(opinion)
August 11, 2015
© 2014 IBM Corporation
Further Concepts
104
August 11, 2015
© 2014 IBM Corporation
Concept – Inspection
Inspector parameters
TTP
Inspection grounds
• If car is damaged: ID with insurance or gov't needs be retrieved
• Similarly: verifiably encrypt any certified attribute (optional)
• TTP is off-line & can be distributed to lessen trust
105
August 11, 2015
© 2014 IBM Corporation
Public Key Encryption
Key Generation
Encryption
Decryption
August 11, 2015
© 2014 IBM Corporation
Security
Like Envelopes !?
No info about
message
August 11, 2015
© 2014 IBM Corporation
Security
Like Envelopes !?
or
?
This is called semantic security (secure if used once only or within careful construction.)
August 11, 2015
© 2014 IBM Corporation
Verifiable Encryption with Label
Label is important to bind context to an encryption.
E.g., defines decryption condition, binds user to car, etc.
Security definition: change of label is new ciphertext
August 11, 2015
© 2014 IBM Corporation
Verifiable Encryption with Label
August 11, 2015
© 2014 IBM Corporation
Verifiable Encryption
!Of attributes (discrete logarithm)
–Camenisch-Shoup (SRSA) – based on Paillier Encryption
!Of pseudonyms (group elements)
–Cramer-Shoup (DL) or rarely ElGamal (DL)
!Otherwise (any secret for which ZKPK exists)
–Camenisch-Damgaard, works for any scheme, but much less efficient
!....Open Problem to find new ones!
August 11, 2015
© 2014 IBM Corporation
ElGamal Encryption Scheme
! Group G = <g> of order q
! Secret Key Group x Є {1,...,q}; Public key y = gx
! To encrypt message m Є <g>:
– choose random r Є {1,...,q};
– compute c = (yr m, gr)
! To decrypt ciphertext c = (c1,c2)
– We know c = (yr m, gr) = (gxr m, gr)
– Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
August 11, 2015
© 2014 IBM Corporation
Realizing Inspection
Nym
Nym = gskhr
y= gx
d = ce a ska ra name bs” + s' (mod n)
1
2 3
! Encrypt Nym : random u Є {1,...,q} and enc = (yu Nym, gu) = (e1,e2)
! Compute proof token (presentation token):
– compute c' = c btmod n with randomly chosen t
– compute proof
PK{(ε, µ1, µ2, µ3, σ) :
d := c'ε a1µ1a2µ2a3µ3b σ ∧ e1 = yρ gµ1hµ2 ∧ e2 = gρ ∧
»
August 11, 2015
µ1, µ3, µ3 Є {0,1}ℓ ∧ ε > 2ℓ+1 }
© 2014 IBM Corporation
Revocation of credentials
© 2014 IBM Corporation
Anonymous Credential Revocation
various reasons to revoke credential
%
user lost credential / secret key
%
misbehavior of user
publishes
revocation
info
looks up
Alice should be able to convince verifier that
her credential is among the good ones!
115
August 11, 2015
© 2014 IBM Corporation
Anonymous Credential Revocation
%
Pseudonyms → standard revocation lists don't work
?
116
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: First Solution
! Include into credential some credential ID ui as message, e.g.,
d = ce a
1
sk
a
2
ui
bs” + s' (mod n)
! Publish list of all valid (or invalid) ui's.
(u1,..., uk)
! Alice proves that her ui is on the list.
– Choose random g
– Compute Uj = guj for uj in (u1,..., uk)
–Prove PK{(ε, µ, ρ, σ) : ( d = c'ε a ρa µ b σ (n) ∧ U1 = gµ )
1
2
∨ && & ∨(d = c'ε a ρa µ b σ (mod n) ∧ Uk =
gµ ) }
1
2
! Not very efficient, i.e., linear in size k of list :-(
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Second Solution
! Include into credential some credential ID ui as message, e.g.,
d = ce a ska ui bs” + s' (mod n)
1
2
! Publish list of all invalid ui's.
(u1,..., uk)
! Alice proves that her ui is not on the list.
– Choose random h and compute U = hui
– Prove PK{(ε, µ, ρ, σ) :
d = c'ε a ρa µ b σ (mod n)
1
2
∧ U = hµ }
– Verifier checks whether U = huj for all uj on the list.
! Better, as only verifier needs to do linear work (and it can be
improved using so-call batch-verification...)
! What happens if we make the list of all valid ui's public?
! If credential is revoked, all past transactions become linkable...
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Second Solution
Variation: verifier could choose h and keep it fixed for a while
! Can pre-compute list Ui = hui
! → single table lookup
! BUT: if user comes again, verifier can link!!!
! ALSO: verifier could not change h at all! or use the same as other
verifiers!
– one way out h = H(verifier, date), so user can check correctness.
– date could be the time up to seconds and the verifier could just store
all the lists, i.e., pre-compute it.
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Second Solution
… better implementation of proof :
Issuer signs intervals between revoked #
→ revocation list: #1,#4,#5,
Sig( 0 ,#1)
Sig(#1,#4)
Sig(#4,#5)
Sig(#5, N )
#3
#3
#3
Verifier does not learn #, #i, #j !
#3
contains # where
#i < # <#j and Sig(#i,#j)
Sig(#i,#j) can be realised also with credential signature scheme, using different public key
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Third Solution
Using cryptographic accumulators:
credentials contain random serial number #
Issuer accumulates all "good" serial
numbers
#2
#3
#1
#2
#2
#6
#4
#5
#2
contains # that
is included in
Proof requires witness
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Third Solution
Using cryptographic accumulators:
to revoke #2 issuer publishes new accumulator &
new witnesses for unrevoked credentials
#2
#3
#1
#2
#2
#6
#4
#5
#2
contains # that
is included in
Proof would require witness
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Third Solution
#2
Using so-called cryptographic accumulators:
! Key setup: RSA modulus n, seed v
#3
#1
! Accumulate:
– values are primes ei
#6
#4
#5
– accumulator value: z = v Π ei mod n
– publish z and n
– witness value x for ej : s.t. z = x ej mod n
can be computed as x = v e1·...·ej-1 · ej+1·...·ek mod n
! Show that your value e is contained in accumulator:
– provide x for e
– verifier checks
August 11, 2015
z = x e mod n
© 2014 IBM Corporation
Revocable Credentials: Third Solution
Security of accumulator: show that e s.t. z = x e mod n for e that is
not contained in accumulator:
– For fixed e: Equivalent to RSA assumption
– Any e: Equivalent to Strong RSA assumption
#2
#3
#1
#6
#4
#5
Revocation: Each cert is associated with an e and each user gets witness
x with certificate. But we still need:
– Efficient protocol to prove that committed value is contained in
accumulator.
– Dynamic accumulator, i.e., ability to remove and add values to
accumulator as certificates come and go.
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Third Solution
! Prove that your key is in accumulator:
– Commit to x:
• choose random s and g and
• compute U1 = x hs, U2 = gs and reveal U1 ,U2, g
– Run proof-protocol with verifier
PK{(ε, µ, ρ, σ, ξ, δ) :
d = c'ε a ρa µ b σ (mod n) ∧ z = U1µ(1/h)ξ (mod n)
1
2
µ
ξ
δ
∧ 1 = U2 (1/g) (mod n) ∧ U2 = g (mod n)}
August 11, 2015
© 2014 IBM Corporation
Revocable Credentials: Third Solution
! Analysis
– No information about x and e is revealed:
• (U1, U2) is a secure commitment to x
• proof-protocol is zero-knowledge
– Proof is indeed proving that e contained in the certificate is
also contained in the accumulator:
a) 1 = U2µ(1/g)ξ = (gδ)µ (1/g)ξ (mod n)
=> ξ = δ µ
b) z = U1µ(1/h)ξ =U1µ(1/h)δ µ =(U1/hδ )µ
c) d = c'ε a ρa µ b σ (mod n)
1
August 11, 2015
(mod n)
2
© 2014 IBM Corporation
Revocation: Third Solution
Dynamic Accumulator
! When a new user gets a certificate containing enew
–Recall: z = v Π ei mod n
–Thus: z' = z enew mod n
–But: then all witnesses are no longer valid, i.e., need
to be updated x' = x enew mod n
August 11, 2015
© 2014 IBM Corporation
Revocation: Third Solution
Dynamic Accumulator
! When a certificate containing erev revoked
– Now z' = v Π ei = z 1/erev mod n
– Witness:
• Use Ext. Euclid to compute a and b
s.t. a eown + b erev = 1
• Now x' = x b z' a mod n
• Why: x'eown = ((x b z' a )eown) erev 1/erev mod n
= ((x b z' a )eown erev ) 1/erevmod n
= ((x eown) b erev (z' erev) a eown) 1/erev mod n
= (z b erev z a eown ) 1/erev mod n
= z 1/erev mod n = z' :-)
August 11, 2015
© 2014 IBM Corporation
Revocation: Third Solution (improved)
Dynamic Accumulator: in case the issuer knows the factorization of n
! When a new user gets a certificate containing enew
– Recall: z = v Π ei mod n
– Actually v never occurs anywhere...
so: v' = v 1/enew mod n and x = z 1/enew mod n
– Thus z needs not to be changed in case new member joins!
! Witnesses need to be recomputed upon revocation only!
August 11, 2015
© 2014 IBM Corporation
Revocation: Zeroth Solution
Update of Credentials: encode validity time as attribute
if credential is valid
→ no need to check
revocation updates from issuer
no additional effort for verifier
130
August 11, 2015
© 2014 IBM Corporation
Revocation: Zeroth Solution
Re-issue certificates
(off-line – interaction might be too
expensive)
U
Recall issuing for identity mixer:
U := a
1
m1
a
m2
2
bs'
Choose e,s”
c = (d/(Ua
(c,e,s”)
August 11, 2015
3
m3
a
4
time
bs” ))1/e
mod n
© 2014 IBM Corporation
Revocation: Zeroth Solution
Re-issue certificates (off-line – interaction might be too expensive)
! Idea: just repeat last step for each new time time':
Choose ei,si”
ci = (d/(Ua
3
m3'
a
4
time'
bsi” ))1/ei mod n
(ci,ei,si”)
! Update information (ci,ei,si”) can be pushed to user by many
different means
August 11, 2015
© 2014 IBM Corporation
Conclusions
! Roadmap
–
–
–
–
–
Explain possibilities to engineers, policy makers etc
Usable prototypes
Provide transparency
Public infrastructure for privacy protection
Laws with teeth (encourage investment in privacy)
! Challenges
– Internet services get paid with personal data (inverse incentive)
– End users are not able to handle their data (user interfaces..)
– Security technology typically invisible and hard to sell
! Towards a secure information society
– Society changes quickly and gets shaped by technology
– Consequences are hard to grasp (time will show...)
– We must inform and engage in a dialog
133
August 11, 2015
© 2014 IBM Corporation
Thank you!
! eMail: [email protected]
! Links:
– www.abc4trust.eu
– www.futureID.eu
– www.au2eu.eu
– www.PrimeLife.eu
– www.zurich.ibm.com/idemix
– idemixdemo.zurich.ibm.com
! Code
– github.com/p2abcengine & abc4trust.eu/idemix
134
August 11, 2015
© 2014 IBM Corporation
References
! D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete
logarithms and some generalizations. In EUROCRYPT ’87, vol. 304 of LNCS, pp. 127–141. Springer-Verlag,
1988.
! S. Brands. Rapid demonstration of linear relations connected by boolean operators.In EUROCRYPT ’97, vol. 1233
of LNCS, pp. 318–333. Springer Verlag, 1997.
! Mihir Bellare: Computational Number Theory
http://www-cse.ucsd.edu/~mihir/cse207/w-cnt.pdf
! Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous
Credentials. Crypto 2002, Lecture Notes in Computer Science, Springer Verlag.
! Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002,
Lecture Notes in Computer Science, Springer Verlag.
! Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key
Exchange. CRYPTO 2010:255-276
! Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on
Computer and Communications Security 2009: 131-140
! Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002,
Lecture Notes in Computer Science, Springer Verlag.
! M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the
Security of Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages 185 -215,
Springer-Verlag, 2003.
! E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of
Certified Data. In Twelfth International Workshop on Security Protocols 2004.
www.zurich.ibm.com/~jca/publications
! Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology – CRYPTO '93.
Springer Verlag, 1993.
August 11, 2015
© 2014 IBM Corporation
References
! J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with
Optional Anonymity Revocation. www.zurich.ibm.com/~jca/publications
! David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of
the ACM, Vol. 24 No. 2, pp. 84—88, 1981.
! David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology – Proceedings of CRYPTO
'82, 1983.
! David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in
Communications of the ACM, Vol. 28 No. 10, 1985.
! Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: 126144
! Victor Shoup: A computational introduction to Number Theory and Algebra. Available from:
http://www.shoup.net/ntb/
! D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the
ACM.
! D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of
Cryptology, 1988.
! J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances
in Cryptology - CRYPTO 2003.
! T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in
Cryptology - CRYPTO '84.
August 11, 2015
© 2014 IBM Corporation
Similar pages