Cryptanalysis of Two Dynamic ID-based Authentication Schemes for Multi-Server Architecture
Authentication without Identification Jan Camenisch … · Authentication – Traditional approach...
Transcript of Authentication without Identification Jan Camenisch … · Authentication – Traditional approach...
-
© 2016 IBM Corporation
Authentication without Identification
Jan Camenisch IBM Research - Zurich
-
© 2016 IBM Corporation2 Jan Camenisch - Summer School TrentoJune 30, 2016
We all increasingly conduct our daily tasks electronically
Facts
....are becoming increasingly vulnerable to cybercrimes
-
© 2016 IBM Corporation3 Jan Camenisch - Summer School TrentoJune 30, 2016
33% of cyber crimes, including identity theft, take less time than to make a cup of tea.
Facts
-
© 2016 IBM Corporation4 Jan Camenisch - Summer School TrentoJune 30, 2016
10 Years ago, your identity information on the black market was worth $150. Today….
Facts
-
© 2016 IBM Corporation5 Jan Camenisch - Summer School TrentoJune 30, 2016
$4'500'000'000 cost of identity theft worldwide
Facts
-
© 2016 IBM Corporation6 Jan Camenisch - Summer School TrentoJune 30, 2016
ᄅ
Houston, we have a problem!
-
© 2016 IBM Corporation7 Jan Camenisch - Summer School TrentoJune 30, 2016
ᄅ
Houston, we have a problem!
“Buzz Aldrin's footprints are still up there”(Robin Wilton)
-
© 2016 IBM Corporation8 Jan Camenisch - Summer School TrentoJune 30, 2016
Computers don't forget
% Apps built to use & generate (too much) data
% Data is stored by default
% Data mining gets ever better
% New (ways of) businesses using personal data
% Humans forget most things too quickly
% Paper collects dust in drawers
-
© 2016 IBM Corporation9 Jan Camenisch - Summer School TrentoJune 30, 2016
Where's all my data?
The ways of data are hard to understand
% Devices, operating systems, & apps are getting more complex and intertwined
– Mashups, Ad networks– Machines virtual and realtime configured– Not visible to users, and experts– Data processing changes constantly
→ No control over data and far too easy to loose them
-
© 2016 IBM Corporation10 Jan Camenisch - Summer School TrentoJune 30, 2016
You have no privacy, get over it .....?!?
% Huge security problem!– Millions of hacked passwords (100'000 followers $115 - 2013)– Stolen credit card number ($5 - 2013) – Stolen identity ($150 - 2005, $15 - 2009, $5 – 2013)– Lots of not reported issues (industrial espionage, etc)
% Difficult to put figures down– Credit card fraud – Spam & marketing – Manipulating stock ratings, etc..
% We know secret services can do it easily, but they are not the only ones– this is not about homeland security– and there are limits to the degree of protection that one can achieve
% … end we have not event discussed social issues such as democracy etc
% last but not least: data are the new money, so need to be protected
-
© 2016 IBM Corporation11 Jan Camenisch - Summer School TrentoJune 30, 2016
What can we do?
% Most of the technology is there (but we have to use it)
% Most of the legislation is there (but we have to enforce it)
% Public awareness is growing (but we have to feed it)
→ Privacy by Design!
-
© 2016 IBM Corporation12 Jan Camenisch - Summer School TrentoJune 30, 2016
of course there are limits...
% tracing is so easy– each piece of hardware is quite unique– log files everywhere
% …. but that's not the point!– it's not about NSA et al.– active vs passive “adversaries”
so, still, privacy by design!
-
© 2016 IBM Corporation13 Jan Camenisch - Summer School TrentoJune 30, 2016
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon.
– Feature creep, security comes last, if at all– Everyone can do apps and sell them – Networks and systems hard not (well) protected
-
© 2016 IBM Corporation14 Jan Camenisch - Summer School TrentoJune 30, 2016
We need paradigm shift &build stuff for the moon
rather than the sandy beach!
Security & Privacy is not a lost cause!
-
© 2016 IBM Corporation15 Jan Camenisch - Summer School TrentoJune 30, 2016
That means:% Reveal only minimal data necessary% Encrypt every bit% Attach usage policies to each bit
Cryptography can do that!
Security & Privacy is not a lost cause!
-
© 2016 IBM Corporation16 Jan Camenisch - Summer School TrentoJune 30, 2016
Business Case for Privacy
%Business case always depends on specific example%The bad news: data is money – so every one wants it
– Big data, sensors, etc. – Marketing
%No data is easier to protect than lots of data– e.g., losing credit card number
%Privacy is part of security– identity theft– getting access to and manipulating systems, etc.
%Laws are an important driver– like many other technical areas, cf. cars
-
© 2016 IBM Corporation17 Jan Camenisch - Summer School TrentoJune 30, 2016
Privacy by design....
@ Communication layer– TOR, JAP, etc
@ Authentication layer– privacy-preserving attribute-based credentials
@ Application layer– eVoting, ePolls, ....– all apps should be done as “privacy by design”
-
© 2016 IBM Corporation18 Jan Camenisch - Summer School TrentoJune 30, 2016
Cryptography at the network layer
Anonymous communicatione.g., mix networks, onion routing (TOR), DC-nets
Bandwidth suffersPhysical layer notoriously hard to protect
-
© 2016 IBM Corporation19 Jan Camenisch - Summer School TrentoJune 30, 2016
Privacy at the Authentication LayerPrivacy Friendly Identity Management
-
© 2016 IBM Corporation20 Jan Camenisch - Summer School TrentoJune 30, 2016
What is an identity?
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick nameblood group
health care
marital status
birth date
health status
insurance
-
© 2016 IBM Corporation21 Jan Camenisch - Summer School TrentoJune 30, 2016
Identities – Identity Management
■ ID: set of attributes shared w/ someone– attributes are not static: user & party can add
■ ID Management: two things to make ID useful– authentication means– means to transport attributes between parties
■Control attributes with policies:– define requested data– define allowed usage (audience)
■ Privacy by design– minimal amount of data
→ Privacy-preserving attribute-based credentials
-
© 2016 IBM Corporation22 Jan Camenisch - Summer School TrentoJune 30, 2016
Identities Authentication and attribute transfer
-
© 2016 IBM Corporation23 Jan Camenisch - Summer School TrentoJune 30, 2016
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
-
© 2016 IBM Corporation24 Jan Camenisch - Summer School TrentoJune 30, 2016
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need:- subscription- be older than 12
-
© 2016 IBM Corporation25 Jan Camenisch - Summer School TrentoJune 30, 2016
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok, here's - my eID - my subscription
Using digital equivalent of paper world, e.g., with X.509 Certificates
-
© 2016 IBM Corporation26 Jan Camenisch - Summer School TrentoJune 30, 2016
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
...with X.509 Certificates
-
© 2016 IBM Corporation27 Jan Camenisch - Summer School TrentoJune 30, 2016
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
This is a privacy and security problem! - identity theft - discrimination - profiling, possibly in connection with other services
-
© 2016 IBM Corporation28 Jan Camenisch - Summer School TrentoJune 30, 2016
Authentication – Traditional approach
ID Management: make ID useful– ID comes w/ authentication means
– Transport of attributes
Is really just paper world made electronic!
% Alice has public and private key% Can use cryptographic identification protocols to
authenticate as owner
% Certificate issued by one party, certificate contains attributes
% Certificate is verified by other party w.r.t. Issuing party's public key (public verification key)
-
© 2016 IBM Corporation29 Jan Camenisch - Summer School TrentoJune 30, 2016
Name = Alice Doe
Birth date = 1997/01/26
signed by the issuer
Authentication – Offline Solution
Public key = 98a9d8ac9237..
credential / certificate$ signed list of attribute-value pairs
-
© 2016 IBM Corporation30 Jan Camenisch - Summer School TrentoJune 30, 2016
Authentication – Offline Solution
1. crede
ntial req
uest
2.
name =
Alice Doe
,
birth date
= 1973/
01/26,
pk =
With traditional PKI, e.g., X.509 v3 certificates
3. access request
5.
Privacy: - have to disclose all attributes in certificate - public key as unique identifier
Privacy: - have to disclose all attributes in certificate - public key as unique identifier
Security: - verifier's collection of attributes - target for identity thievesSecurity: - verifier's collection of attributes - target for identity thieves
name = Alice Doe,birth date = 1973/01/26, pk =
4. over 18?
-
© 2016 IBM Corporation31 Jan Camenisch - Summer School TrentoJune 30, 2016
Using a certificate again…
name = Alice Doe,birth date = 1997/01/26, pk =
name = Alice Doe,birth date = 1997/01/26,
Pk =
linkable when used multiple times- certificate links- public key links
linkable when used multiple times- certificate links- public key links
Authentication – Offline Solution
With traditional PKI, e.g., X.509 v3 certificates
-
© 2016 IBM Corporation32 Jan Camenisch - Summer School TrentoJune 30, 2016
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols), e.g., log-in with Facebook
-
© 2016 IBM Corporation33 Jan Camenisch - Summer School TrentoJune 30, 2016
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, Alice is watching a 12+ movie
-
© 2016 IBM Corporation34 Jan Camenisch - Summer School TrentoJune 30, 2016
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, you are- [email protected] 12+Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
Aha, Alice is watching a 12+ movie
-
© 2016 IBM Corporation35 Jan Camenisch - Summer School TrentoJune 30, 2016
Authentication – Online Solution
3. over 1
8?
4. authen
tication
over 18
e.g., SAML, WS-Federation, OpenID, Facebook Connect
5.
1. access request
2. over 18?
6. over 18
Privacy: issuer knows who visits which website at which time(often from own records, if not by correlating logs with website)Privacy: issuer knows who visits which website at which time(often from own records, if not by correlating logs with website)
Security: issuance key online 24/7Security: issuance key online 24/7
-
© 2016 IBM Corporation36 Jan Camenisch - Summer School TrentoJune 30, 2016
Private Credentials (aka Anonymous Credentials aka Privacy-ABCs)
best of both worlds
– Privacy: • unlinkable transactions• minimal information disclosure
– Security: • offline issuer
Examples include IBM Identity Mixer and Microsoft U-Prove
-
© 2016 IBM Corporation37 Jan Camenisch - Summer School TrentoJune 30, 2016
Users' Keys:% One secret Identity (secret key)% Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
→ use a different identity for each communication partner or even transaction
Concept: - Key binding - Pseudonyms (and domain pseudonyms)
-
© 2016 IBM Corporation38 Jan Camenisch - Summer School TrentoJune 30, 2016
Two kinds of pseudonyms$ Regular$ Scope exclusive (also called domain pseudonym)
Specification of pseudonym very generic, still:$ Scope: String$ Exclusive: Boolean$ PseudonymValue: AnyValue
For regular pseudonym, scope is non-binding description
...
Pseudonym
-
© 2016 IBM Corporation39 Jan Camenisch - Summer School TrentoJune 30, 2016
Certified attributes from Identity provider% Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3, 1997
Concept: - Credentials
-
© 2016 IBM Corporation40 Jan Camenisch - Summer School TrentoJune 30, 2016
Credential
Credential SpecificationSpecification ID: URNNumberOfAttributes: INTList of Attributes, each consisting of:
– Type: URN first name– DataType: URN string– Encoding: URN sha256
KeyBinding trueRevocation false
Credentials is essentially the same extended with:Each attribute consists additionally
– Value: DataTypeCrypto Value: AnyValue (according to alg.; digital signature)
-
© 2016 IBM Corporation41 Jan Camenisch - Summer School TrentoJune 30, 2016
Example of Credential Specification
-
© 2016 IBM Corporation42 Jan Camenisch - Summer School TrentoJune 30, 2016
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department% Issuing a credential
-
© 2016 IBM Corporation43 Jan Camenisch - Summer School TrentoJune 30, 2016
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
Concept: - Presentation policy
-
© 2016 IBM Corporation44 Jan Camenisch - Summer School TrentoJune 30, 2016
Presentation policy
Presentation policy: which attributes certified by whom a verifier requires to grant access% Credential Alias = String Driver's License
– Possible Credentials: {Credential Spec}– Possible Issuers: {IssuerParameters}– {Disclosed Attributes: AttributeType}
• Possible Inspectors: {InspectorPublicKey}• Inspection Grounds
– SameKeyBindingAs: String Credential Alias
% AttributePredicate– Function: definedFunctions DateGreaterThan– Attribute: CredentialAlias, AttributeType– ConstantValue: AnyValue 1987-03-05
% Message: String
-
© 2016 IBM Corporation45 Jan Camenisch - Summer School TrentoJune 30, 2016
User Verifierpresentation policy
presentation token
“reveal civic number from school credential”
Presentation policy
-
© 2016 IBM Corporation46 Jan Camenisch - Summer School TrentoJune 30, 2016
Proving identity claims% but does not send credentials% only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ≥ 12
Concept: - Presentation token
-
© 2016 IBM Corporation47 Jan Camenisch - Summer School TrentoJune 30, 2016
Privacy-protecting authentication with Privacy ABCs
Aha, you are- older than 12- have a subscription
Proving identity claims% but does not send credential% only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alice's transactions!
-
© 2016 IBM Corporation48 Jan Camenisch - Summer School TrentoJune 30, 2016
Proving Identity Claims: Minimal Disclosure
Alice DoeDec 12, 1998Hauptstr. 7, ZurichCHsingleExp. Aug 4, 2018
verifi
ed
ID
Alice DoeAge: 12+Hauptstr 7, ZurichCHsingleExp. Valid
verifi
ed
ID
-
© 2016 IBM Corporation49 Jan Camenisch - Summer School TrentoJune 30, 2016
Key Binding & Credentials
% All (key bound) credentials are bound to same secret key% For presentation, different credentials can be combined, correct combination is assured by
key binding
-
© 2016 IBM Corporation50 Jan Camenisch - Summer School TrentoJune 30, 2016
Presentation tokens and pseudonyms are unlinkable!
All transaction are unlinkeable by default!
-
© 2016 IBM Corporation51 Jan Camenisch - Summer School TrentoJune 30, 2016
12 < age ?
(Issuer parameter)
Credential
Presentation token
Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
Recall Concepts and Terms
-
© 2016 IBM Corporation52 Jan Camenisch - Summer School TrentoJune 30, 2016
%Protection of user's privacy–unlinkability (multi-use)–using/combining multiple credentials–selective disclosure–predicated over attributes
%Strong authentication– unforgeability of presentation tokens
• Wrong statements• Possession of credentials not owned• Combination of credentials from different users
Summary of Properties
-
© 2016 IBM Corporation53 Jan Camenisch - Summer School TrentoJune 30, 2016
attributes might be hidden from issuer
each issuer has public key of signature scheme
each user has a single secret key but many public keys
each user has a single public key
certificate = signature on user's secret key + attributes
certificate = signature on user's public key + attributes
“prove knowledge” of certificate reveal certificate
- prove that different certificates contain same secret key - selectively reveal attributes
Private credentials vs. classical ones
-
© 2016 IBM Corporation54 Jan Camenisch - Summer School TrentoJune 30, 2016
Try Identity Mixer for yourself
Try yourself: idemixdemo.mybluemix.net→Build your app: github.com/IBM-Bluemix/idemix-issuer-verifier→Source code: github.com/github.com/p2abcengine/p2abcengine→Info: ibm.biz/identity_mixer→
-
© 2016 IBM Corporation55 Jan Camenisch - Summer School TrentoJune 30, 2016
User – Verifier: architectural view [abc4trust.eu]
Available on github.com/p2abcengine & abc4trust.eu/idemix
-
© 2016 IBM Corporation56 May 4, 2016 - Infosecurity Denmark
IBM's Privacy ABCs: Identity Mixer
% Scientific foundation laid 15 years ago, well studied & award winning
% Successful real-world pilots in series of EU projects
% You can have identity mixer, too!– Open-source implementation: https://github.com/p2abcengine– Idemix-as-a-Service on IBM Bluemix– Web-based demo to try for everyone– Coming soon: Idemix on mobile
-
© 2016 IBM Corporation57 Jan Camenisch - Summer School TrentoJune 30, 2016
There is moreHere's just a few examples
-
© 2016 IBM Corporation58 Jan Camenisch - Summer School TrentoJune 30, 2016
TTP
Inspector parameters
Inspection grounds
If car is broken: ID with insurance needs be retrieved
Can verifiably encrypt any certified attribute (optional)
TTP is off-line & can be distributed to lessen trust
Concept: Inspection
-
© 2016 IBM Corporation59 Jan Camenisch - Summer School TrentoJune 30, 2016
If Alice was speeding, license needs to be revoked!
There are many different use cases and many solutions• Variants of CRL work (using crypto to maintain anonymity)
• Accumulators• Signing entries & Proof, ....
• Limited validity – certs need to be updated • ... For proving age, a revoked driver's license still works
Revocation authority parameters
Revocation info
Concept: Revocation
-
© 2016 IBM Corporation60 Jan Camenisch - Summer School TrentoJune 30, 2016
World of Warcraft
Limits of anonymity possible (optional): If Alice and Eve are on-line together they are caught! Use Limitation – anonymous until:
• If Alice used certs > 100 times total... • ... or > 10'000 times with Bob
Alice's cert can be bound to hardware token (e.g., TPM)
Concept: Key-Binding & Usage Control
-
© 2016 IBM Corporation
Some Use Cases
-
© 2016 IBM Corporation62 Jan Camenisch - Summer School TrentoJune 30, 2016
Age verification
% Movie streaming services% Gaming industry % Online gambling platforms% Dating websites% Social benefits for young/old people
Proving 12+, 18+, 21+ without disclosing the exact date of birth – privacy and compliance with age-related legislation
-
© 2016 IBM Corporation63 Jan Camenisch - Summer School TrentoJune 30, 2016
Use Case: Anonymous Authentication
Use certificate anonymously
-
© 2016 IBM Corporation64 Jan Camenisch - Summer School TrentoJune 30, 2016
Use Case: Anonymous Authentication
Use certificate anonymously
Server shall be unable to tell whether or not it is the same user
???
-
© 2016 IBM Corporation65 Jan Camenisch - Summer School TrentoJune 30, 2016
DNA Database
Simple case: DB learns not who accesses DBBetter: Oblivious Access to Database (OT with AC)
• Server must not learn who accesses• which record • Still, Alice can access only records she is authorized for
Use Case: Anonymous Access to a Database
-
© 2016 IBM Corporation66 Jan Camenisch - Summer School TrentoJune 30, 2016
Subscriptions, membership
% Patent databases% DNA databases% News/Journals/Magazines% Transportation: tickets, toll roads% Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.)
???
-
© 2016 IBM Corporation67 Jan Camenisch - Summer School TrentoJune 30, 2016
Healthcare Use Case
Anonymous consultations with specialists– online chat with at physician / online consultation with IBM Watson to check eligibility
1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment
Alice gets a health insurance credential
Insurance
Insurance
Health portal
5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.
4. Alice gets treatment from physician, hospital, etc
-
© 2016 IBM Corporation68 Jan Camenisch - Summer School TrentoJune 30, 2016
Payment Use Case
% Credential = Bank note% Double spending need to be prevented/detected
– On-line or Off-line modi possible% Money laundering can also be taken care of
bank
merchant
deposits money
withdrawal
payment
-
© 2016 IBM Corporation69 Jan Camenisch - Summer School TrentoJune 30, 2016
Securing Credit Card Payments
Purchase of $15.50
Number 123456789Expiration 08/2015
Expiration 08/2015“Allow amazon.com up to $300/week”
Expiration 08/2015“Allow amazon.com up to $300/week”
clearinghouse
Expiration 08/2015“Transfer $862 to expedia.com”
Purchase of $862
Expiration 08/2015“Transfer $862 toexpedia.com”
The credit card data is never revealed to the merchant, only to the credit card provider % Bank issues a classic credit card % User registers at a special portal to obtain the Identity Mixer credential% User derives a token allowing that store to withdraw the money% Users cannot be linked across purchases/shops% Stored credit card info useless to hackers!
-
© 2016 IBM Corporation70 Jan Camenisch - Summer School TrentoJune 30, 2016
Polls, recommendation platforms
% Online polls – applying different restrictions on the poll participants: location, citizenship
% Rating and feedback platforms– anonymous feedback for a course only from the students who attended it– wikis– recommendation platforms
Providing anonymous, but at the same time legitimate feedback
-
© 2016 IBM Corporation71 Jan Camenisch - Summer School TrentoJune 30, 2016
Use Case Polling: Scenario and Requirements
Scenario:%Pollster(s) and a number of users%Only registered user (e.g., students who took a course) can voice
opinion (e.g., course evaluation)%User can voice opinion only once (subsequent attempts are
dropped)%Users want to be anonymous % In different polls user must not linkable
-
© 2016 IBM Corporation72 Jan Camenisch - Summer School TrentoJune 30, 2016
Use Case Polling – Solution: Registration
%User generates pseudonym (ID for registration)%User obtains credential on pseudonym stating that she is eligible
for polls%Credential can contain attributes (e.g., course ID) about her
-
© 2016 IBM Corporation73 Jan Camenisch - Summer School TrentoJune 30, 2016
Use Case Polling – Solution: Submit Poll
1. User generates domain pseudonym, domain = pollID
2. User transforms credential
3. Transformed credential with a subset of the attributes– User is anonymous and unlinkable– Multiple opinions are detected because uniqueness of
domain pseudonym
-
© 2016 IBM Corporation74 Jan Camenisch - Summer School TrentoJune 30, 2016
Implementation of concepts
-
© 2016 IBM Corporation75 Jan Camenisch - Summer School TrentoJune 30, 2016
Cryptographic Realization of Private Credentials
Efficient realization requires special algorithms% Commitment scheme for pseudonyms
–One secret key, many public keys% Signature scheme for credentials
–Normal signature schemes would be inefficient–Needs to allow for
• Signing attributes separately• Efficient transformation into presentation token
% Zero-knowledge proofs of knowledge for inspection–Needs to be compatible with signature and commitment scheme
% Verifiable encryption scheme for inspection – Needs to be compatible with other schemes
% Certificate revocation lists won't work special schemes →
-
© 2016 IBM Corporation76 Jan Camenisch - Summer School TrentoJune 30, 2016
Excursus: Number Theory
A set G with operation ▫ is called a group if:– closure
for all a,b, in G a → ▫ b in G– associativity
for all a,b,c, in G (a → ▫ b) ▫ c = a ▫ (b ▫ c)– identity
there exist some e in G, s.t. for all a: a ▫ e = a – invertibility
for all a in G, there exist a-1 in G: a ▫ a-1 = e
Most used in cryptography: multiplication of integers mod p (with p prime)
-
© 2016 IBM Corporation77 Jan Camenisch - Summer School TrentoJune 30, 2016
Excursus: Number Theory | Discrete Logarithm
exponentiation = repeated application of ∙ , e.g., a3 = a ∙ a ∙ a
given g, x it is easy to compute gx, g1/x, ....
given gx ,gy it is easy to compute gx gy = gx+y
Discrete Log Assumption– given gx it is hard to compute x
Diffie-Hellman Assumption– given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption– given gx , gy, and gz it is hard to decide if gz = gxy
-
© 2016 IBM Corporation78 Jan Camenisch - Summer School TrentoJune 30, 2016
zero-knowledge proofs
-
© 2016 IBM Corporation79 Jan Camenisch - Summer School TrentoJune 30, 2016
Zero-Knowledge Proofs
% interactive proof between a prover and a verifier about the prover's knowledge
% properties: zero-knowledge
verifier learns nothing about the prover's secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
-
© 2016 IBM Corporation80 Jan Camenisch - Summer School TrentoJune 30, 2016
Given group and element y Є .
Prover wants to convince verifier that she knows x s.t. y = gxsuch that verifier only learns y and g.
t = gs yc ?
Prover:
random r t := gr
Verifier:
random c
s := r - cx
t
s
c
notation: PK{(α): y = gα }
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y, gx
-
© 2016 IBM Corporation81 Jan Camenisch - Summer School TrentoJune 30, 2016
From Protocols To Signatures
Signing a message m:- chose random r Є Zq and - compute c := H(gr||m) = H(t||m)
s := r - cx mod (q) - output (c,s)
Verifying a signature (c,s) on a message m:- check c = H(gs yc||m) ? ↔ t = gs yc ?
Security:- underlying protocol is zero-knowledge proof of knowledge- hash function H(.) behaves as a “random oracle.”
Signature SPK{(α): y = gα }(m):
-
© 2016 IBM Corporation82 Jan Camenisch - Summer School TrentoJune 30, 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): PK{(α): y = gα }(m)
Many Exponents:
PK{(α,β,γ,δ): y = gα hβzγkδuβ }
Logical combinations:
PK{(α,β): y = gα ∧ z = gβ ∧ u = gβhα }
PK{(α,β): y = gα ∨ z = gβ }
Intervals and groups of different order (under SRSA):
PK{(α): y = gα ∧ α Є [A,B] }
PK{(α): y = gα ∧ z = gα ∧ α Є [0,min{ord(g),ord(g)}] }
-
© 2016 IBM Corporation83 Jan Camenisch - Summer School TrentoJune 30, 2016
commitment scheme
-
© 2016 IBM Corporation84 Jan Camenisch - Summer School TrentoJune 30, 2016
m
m, 2-36-17 m є ?
mmm
mmm
Commitment Scheme: Functionality
-
© 2016 IBM Corporation85 Jan Camenisch - Summer School TrentoJune 30, 2016
m, 2-36-17
m', 3-21-11m' є
?mmm
m є ?
mmm
Binding
Commitment Scheme: Security
-
© 2016 IBM Corporation86 Jan Camenisch - Summer School TrentoJune 30, 2016
m, 2-36-17
m', 3-21-11m' є
?mmm
m є ?
mmm
Binding
Commitment Scheme: Security
-
© 2016 IBM Corporation87 Jan Camenisch - Summer School TrentoJune 30, 2016
Hiding: for all message m, m'
m'm
mmm'
mmm
Commitment Scheme: Security
-
© 2016 IBM Corporation88 Jan Camenisch - Summer School TrentoJune 30, 2016
Hiding: for all message m, m'
m'm
mmm'
mmm
mmm'
mmm
m'
m ?
Commitment Scheme: Security
-
© 2016 IBM Corporation89 Jan Camenisch - Summer School TrentoJune 30, 2016
Commitment Schemes
Group G = = of order q
To commit to element x Є Zq:
• Pedersen: perfectly hiding, computationally binding choose r Є Zq and compute c = gxhr
• ElGamal: computationally hiding, perfectly binding:choose r Є Zq and compute c = (gxhr, gr)
To open commitment:• reveal x and r to verifier• verifier checks if c = gxhr
-
© 2016 IBM Corporation90 Jan Camenisch - Summer School TrentoJune 30, 2016
Proof m
true
m
Proof m = 2 •m'
m, m'
true
m m'
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme: Extended Features
-
© 2016 IBM Corporation91 Jan Camenisch - Summer School TrentoJune 30, 2016
Proof m
true
m
Proof m = 2 •m'
m, m'
true
m m'
Commitment Scheme: Extended Features
Let C1 = gmhr and C' = gm'hr then:
PK{(α,β): C = gβhα }
PK{(α,β,γ): C' = gβhα ⋀ C = (g2)βhγ }
-
© 2016 IBM Corporation92 Jan Camenisch - Summer School TrentoJune 30, 2016
signature schemes
-
© 2016 IBM Corporation93 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Functionality
Key Generation
-
© 2016 IBM Corporation94 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Functionality
(m1,..., mk)
σ = sig((m1,..., mk), )
Signing
-
© 2016 IBM Corporation95 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Functionality
(m1,..., mk)
σ = sig((m1,..., mk), )
Verification
σ
ver(σ,(m1,..., mk), ) = true
-
© 2016 IBM Corporation96 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
-
© 2016 IBM Corporation97 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
-
© 2016 IBM Corporation98 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Security
m1σ1
mlσl
σ' and m'≠ mi s.t. ver(σ', m', ) = true
Unforgeability under AdaptiveChosen Message Attack
-
© 2016 IBM Corporation99 Jan Camenisch - Summer School TrentoJune 30, 2016
Signature Scheme: Security
m1σ1
mlσl
σ' and m'≠ mi s.t. ver(σ', m', ) = true
Unforgeability under AdaptiveChosen Message Attack
-
© 2016 IBM Corporation100 Jan Camenisch - Summer School TrentoJune 30, 2016
signature schemes with protocols
-
© 2016 IBM Corporation101 Jan Camenisch - Summer School TrentoJune 30, 2016
( ,... , , mj+1,..., mk)
σ
ver(σ,(m1,..., mk), ) = trueσ = sig((( ,... , , mj+1,..., mk), )
Verification remains unchanged!Security requirements basically the same, but
• Signer should not learn any information about m1, ..., mj• Forgery w.r.t. message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme: Signing Hidden Messages
-
© 2016 IBM Corporation102 Jan Camenisch - Summer School TrentoJune 30, 2016
σ on (m1,..., mk)
Proving Possession of a Signature
-
© 2016 IBM Corporation103 Jan Camenisch - Summer School TrentoJune 30, 2016
{mi | i є S}
σ on (m1,..., mk)
Proving Possession of a Signature
-
© 2016 IBM Corporation104 Jan Camenisch - Summer School TrentoJune 30, 2016
{mi | i є S}, Proof
protocol
σ, {mi | i є S}
true
/
Proving Possession of a Signature
Variation: ● Send also mi to verifier and● Prove that committed messages are signed● Prove properties about hidden/committed mi
{mi | i є S}
σ on (m1,..., mk)
-
© 2016 IBM Corporation105 Jan Camenisch - Summer School TrentoJune 30, 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
Damgaard,Camenisch&Lysyanskaya
Strong RSA, DL-ECC,..
can be used only once
Chaum, Brands, et al.
Discrete Logs, RSA,..
-
© 2016 IBM Corporation106 Jan Camenisch - Summer School TrentoJune 30, 2016
Some signature schemes
-
© 2016 IBM Corporation107 Jan Camenisch - Summer School TrentoJune 30, 2016
RSA Signature Scheme – For Reference
Rivest, Shamir, and Adlemann 1978
Secret Key: two random primes p and qPublic Key: n := pq, prime e,
and collision-free hash function H: {0,1}* -> {0,1}ℓ
Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1)
s := H(m) d mod n
Verification of signature s on a message m Є {0,1}*
se = H(m) (mod n)
Correctness: se = (H(m)d)e = H(m)d·e = H(m) (mod n)
-
© 2016 IBM Corporation108 Jan Camenisch - Summer School TrentoJune 30, 2016
RSA Signature Scheme – for reference
Verification signature on a message m Є {0,1}* se := H(m) (mod n)
Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) }
But this is not a valid proof expression!!!! :-(
-
© 2016 IBM Corporation109 Jan Camenisch - Summer School TrentoJune 30, 2016
Public key of signer: RSA modulus n and ai, b, d Є QRn,
Secret key: factors of n
To sign k messages m1, ..., mk Є {0,1}ℓ :● choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s ≈ n● compute c :
c = (d / (a1m1·...· ak
mk bs ))1/e mod n
● signature is (c,e,s)
CL-Signature Scheme
-
© 2016 IBM Corporation110 Jan Camenisch - Summer School TrentoJune 30, 2016
To verify a signature (c,e,s) on messages m1, ..., mk:● m1, ..., mk Є {0,1}ℓ:● e > 2ℓ+1
● d = ce a1m1·...· ak
mk bs mod n
Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption.
CL-Signature Scheme
-
© 2016 IBM Corporation111 Jan Camenisch - Summer School TrentoJune 30, 2016
Sign blindly with CL signatures
( ,... , , mj+1,..., mk)mmmjmmm1
σ
σ = sig((( ,... , , mj+1,..., mk), ) mmm1 mmmj
Choose e,s”
c = (d/(C a3m3 bs”))1/e mod n
C = a1m1a2
m2 bs’ C + PK{(m1,m2,s’): C = a1m1a2
m2 bs’}
(c,e,s’’)
d = ce a1m1a2
m2a3m3 bs’+s’’ mod n
-
© 2016 IBM Corporation112 Jan Camenisch - Summer School TrentoJune 30, 2016
Recall: d = ce a1m1a2m2 bs mod n
Observe:%Let c' = c btmod n with randomly chosen t %Then d = c'e a1m1a2m2 bs-et (mod n), i.e.,
(c',e, s* = s-et) is also signature on m1 and m2
To prove knowledge of signature (c',e, s*) on m2 and some m1 %provide c' %PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ ∧ µ Є {0,1}ℓ ∧ ε > 2ℓ+1 }
→ proves d := c'ε a1µ1 a2m2b σ
Proving Knowledge of a CL-signature
-
© 2016 IBM Corporation113 Jan Camenisch - Summer School TrentoJune 30, 2016
Solving a Use-Case: Polling
-
© 2016 IBM Corporation114 Jan Camenisch - Summer School TrentoJune 30, 2016
Polling: Scenario and Requirements
Scenario:%Pollster(s) and a number of users%Only registered user (e.g., students who took a course) can voice
opinion (e.g., course evaluation)%User can voice opinion only once (subsequent attempts are
dropped)%Users want to be anonymous %A user's opinion in different polls not linkable
-
© 2016 IBM Corporation115 Jan Camenisch - Summer School TrentoJune 30, 2016
Polling – Solution: Registration
%User generates pseudonym (ID for registration)%User obtains credential on pseudonym stating that she is eligible
for polls, i.e., (c,e,s)
d = ce a1sk a2
name bs (mod n)
%Credential can contain attributes (e.g., course ID) about her
(n,a1,a2,b,d)
-
© 2016 IBM Corporation116 Jan Camenisch - Summer School TrentoJune 30, 2016
Polling – Solution: Submit Poll
1. User generates domain pseudonym, domain = pollID
2. User transforms credential
3. Transformed credential with a subset of the attributes% User is anonymous and unlinkable
% Multiple casts are detected because uniqueness of domain pseudonym
-
© 2016 IBM Corporation117 Jan Camenisch - Summer School TrentoJune 30, 2016
Polling – Solution: Polling
1. Domain pseudonym: P = gdsk = H(pollID)sk
Ensures privacy: P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2. User transforms credential: – c' = c bs'mod n with randomly chosen s'– SPK{(ε, µ1, µ2,σ) : P = gdµ1 ⋀ d := c'ε a1µ1 a2µ2b σ (mod n)
⋀ µ1, µ2 Є {0,1}ℓ ⋀ ε > 2ℓ+1 }(opinion)
-
© 2016 IBM Corporation118 Jan Camenisch - Summer School TrentoJune 30, 2016
Realizing On-Line eCash
-
© 2016 IBM Corporation119 Jan Camenisch - Summer School TrentoJune 30, 2016
eCash scenario & requirements
User
Bank
Merchant
Deposit
Withdrawal
Spend
Requirements● Anonymity: Withdrawal and Deposit must be unlinkable● No Double Spending: Coin is bit-strings, can be spend twice
-
© 2016 IBM Corporation120 Jan Camenisch - Summer School TrentoJune 30, 2016
Towards a Solution: do it like paper money
User
Bank
Merchant
Deposit
Withdrawal
Spend
% Sign notes with digital signature scheme – Note = (serial number #, value)– Secure because
• signature scheme can not be forged• bank will accepts some serial number only once on-line e-cash→
– Not anonymous because (cf. paper solution)• bit-string of signature is unique• serial number is unique
100
100 100
-
© 2016 IBM Corporation121 Jan Camenisch - Summer School TrentoJune 30, 2016
Towards a Solution
User
Bank
Merchant
Deposit
Withdrawal
Spend
% Use (more) cryptography– Hide serial number from bank when issuing
• e.g., sign commitment of serial number– Reveal serial number and proof
• knowledge of signature on • commitment to serial number
– Anonymous because of commitments scheme and zero-knowledge proof
100
100100
100 100
-
© 2016 IBM Corporation122 Jan Camenisch - Summer School TrentoJune 30, 2016
E-Cash
-
© 2016 IBM Corporation123 Jan Camenisch - Summer School TrentoJune 30, 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
% Issue coin: Hide serial number from bank when issuing – sign commitment of random serial number
% Spend coin: reveal serial number and proof – knowledge of signature on – commitment to serial number
100
100100
100 100
-
© 2016 IBM Corporation124 Jan Camenisch - Summer School TrentoJune 30, 2016
On-line E-cash: Withdrawal
choose random #, s' and compute
C = a1# bs'
C + pr
oof
Choose e,s”
c = (d/(C bs”))1/e mod n
(c,e,s”+s') s.t.
d = ce a1# bs” + s' (mod n)
(c,e,s”)
-
© 2016 IBM Corporation125 Jan Camenisch - Summer School TrentoJune 30, 2016
On-line E-cash: Payment
(c,e,s”+s') s.t.
d = ce a1# bs” + s' (mod n)
#, c', proofcompute c' = c bs'mod nproof = PK{(ε, µ, ρ, σ) : d / a1
#= c'ε b σ (mod n) }
-
© 2016 IBM Corporation126 Jan Camenisch - Summer School TrentoJune 30, 2016
On-line E-cash: Payment
(c,e,s”+s') s.t.
d = ce a1# bs” + s' (mod n)
compute c' = c bs'mod nproof = PK{(ε, µ, ρ, σ) : d / a1
#= c'ε b σ (mod n) }
#, c', proof
#, c
', pr
oof # Є L?
OK/ not OK
-
© 2016 IBM Corporation127 Jan Camenisch - Summer School TrentoJune 30, 2016
Security
% Anonymity– Bank does not learn # during withdrawal– Bank & Shop do not learn c, e when spending
#, c', proof#
, c',
proo
f # Є L?
OK/ not OK
C + pro
of
(c,e,s”)
-
© 2016 IBM Corporation128 Jan Camenisch - Summer School TrentoJune 30, 2016
Security
Double Spending:
%Spending = Compute –c' = c bs'mod n–proof = PK{(ε, µ, ρ, σ) : d / a1
#= c'ε b σ (mod n) }
%Can use the same # only once....– If more #'s are presented than withdrawals:
• Proofs would not sound• Signature scheme would not secure
-
© 2016 IBM Corporation129 Jan Camenisch - Summer School TrentoJune 30, 2016
Realizing Off-Line eCash
-
© 2016 IBM Corporation130 Jan Camenisch - Summer School TrentoJune 30, 2016
Recall On-Line E-Cash
On-Line Solution:1. Coin = random serial # (chosen by user) signed by Bank 2. Banks signs blindly3. Spending by sending # and prove knowledge of signature to Merchant4. Merchant checks validy w/ Bank5. Bank accepts each serial # only once.
Off-Line:- Can check serial # only after the fact- … but at that point user will have been disappeared...
100
100100
-
© 2016 IBM Corporation131 Jan Camenisch - Summer School TrentoJune 30, 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox, but crypto is all about solving paradoxical problems :-)
Goal:– spending coin once: OK– spending coin twice: anonymity is revoked
Not Linkable
-
© 2016 IBM Corporation132 Jan Camenisch - Summer School TrentoJune 30, 2016
Off-line E-cash
Main Idea: – Include #, id, r in credential (#, r hidden from bank/issuer)– Upon spending:
reveal # and t = id + r u , with u randomly chosen by merchant
– t won't reveal anything about id!– However, given two (or more) equations (for the same #, id, r)
t1 = id + r u1 t2 = id + r u2 one can solve for id.
-
© 2016 IBM Corporation133 Jan Camenisch - Summer School TrentoJune 30, 2016
Off-line E-cash: Withdrawal
choose random #, r, s' and compute
C = a1#a2
r bs'
C + pr
oof d = c
e C a3nym bs” mod n
(c,e,s”+s') s.t.
d = ce a1#a2
r a3nym bs” + s' (mod n)
(c,e,s”)
-
© 2016 IBM Corporation134 Jan Camenisch - Summer School TrentoJune 30, 2016
(c,e,s”+s') s.t.
d = ce a1#a2
r a3nym bs” + s' (mod n)
choose random u
u
compute t = r + u nym mod qc' = c bs'mod nproof = PK{(ε, µ, ρ, σ) :
d / a1#= c'ε a2
ρa3µ b σ (mod n) ⋀ gt = gρ (gu)µ }
t, #, c', proof
Let G= be a group of order q
Off-line E-cash: Payment
-
© 2016 IBM Corporation135 Jan Camenisch - Summer School TrentoJune 30, 2016
PK{(ε, µ, ρ, σ) : d / a1
#= c'ε a2ρa3
µ b σ (mod n) ⋀ gt = gρ (gu)µ }
1. d = c'ε a1# a2
ρa3µ b σ (mod n)
=> (c', ε, σ) is a signature on (#, µ, ρ)
2. gt = gρ+uµ => t = ρ + u µ mod q, i.e., t was computed correctly!
Off-line E-cash: Payment
-
© 2016 IBM Corporation136 Jan Camenisch - Summer School TrentoJune 30, 2016
u, t, #, proof
# Є L? If so: 1. t = ρ + u µ (mod q)
2. t' = ρ + u' µ (mod q)
solve for ρ and µ.=> µ = nym because of proof
Off-line E-cash: Deposit
-
© 2016 IBM Corporation137 Jan Camenisch - Summer School TrentoJune 30, 2016
Off-line E-cash: Security
% Unforgeable: –no more coins than #'s,
• otherwise one can forge signatures • or proofs are not sound
–if coins with same # appears with different u's => reveals nym
% Anonymity:–# and r are hidden from signer upon withdrawal–t does not reveal anything about nym (is blinded by r)–proof proof does not reveal anything
-
© 2016 IBM Corporation138 Jan Camenisch - Summer School TrentoJune 30, 2016
Extensions and more
e-Cash% K-spendable cash
– Multiple serial numbers and randomizers per coin– Use PRF to generate serial number and randomizers from seed in coin
% Money laundering preventions– Must not spend more that $10000 dollars with same party– Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks, essentially anything with authentication and privacy% Anonymous credentials, eVoting, ....
Alternative building blocks% A number of signatures scheme that fit the same bill% (Verifiable) encryption schemes that work along as well% Alternative framework: Groth-Sahai proofs plus “structure-preserving” schemes
-
© 2016 IBM Corporation139 Jan Camenisch - Summer School TrentoJune 30, 2016
Conclusion
-
© 2016 IBM Corporation140 Jan Camenisch - Summer School TrentoJune 30, 2016
Conclusions
%Roadmap– Explain possibilities to engineers, policy makers etc– Usable prototypes – Public infrastructure for privacy protection– Laws with teeth (encourage investment in privacy)
%Challenges– Internet services get paid with personal data (inverse incentive)– End users are not able to handle their data (user interfaces..)– Security technology typically invisible and hard to sell– Solutions seems easier without privacy and security
%Towards a secure information society– Society changes quickly and gets shaped by technology – Consequences are hard to grasp (time will show...)– We must inform and engage in a dialog
-
© 2016 IBM Corporation141 Jan Camenisch - Summer School TrentoJune 30, 2016
Thank you!%eMail: [email protected]%Links:
– www.abc4trust.eu– www.PrimeLife.eu – www.zurich.ibm.com/idemix– github.com/p2abcengine & abc4trust.eu/idemix
mailto:[email protected]://www.abc4trust.eu/http://www.PrimeLife.eu/http://www.zurich.ibm.com/idemix
-
© 2016 IBM Corporation142 Jan Camenisch - Summer School TrentoJune 30, 2016
References
% D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In EUROCRYPT ’87, vol. 304 of LNCS, pp. 127–141. Springer-Verlag, 1988.
% S. Brands. Rapid demonstration of linear relations connected by boolean operators.In EUROCRYPT ’97, vol. 1233 of LNCS, pp. 318–333. Springer Verlag, 1997.
% Mihir Bellare: Computational Number Theory http://www-cse.ucsd.edu/~mihir/cse207/w-cnt.pdf
% Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials. Crypto 2002, Lecture Notes in Computer Science, Springer Verlag.
% Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag.
% Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key Exchange. CRYPTO 2010:255-276
% Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on Computer and Communications Security 2009: 131-140
% Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag.
% M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages 185 -215, Springer-Verlag, 2003.
% E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of Certified Data. In Twelfth International Workshop on Security Protocols 2004. www.zurich.ibm.com/~jca/publications
% Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology – CRYPTO '93. Springer Verlag, 1993.
http://www-cse.ucsd.edu/~mihir/cse207/w-cnt.pdf
-
© 2016 IBM Corporation143 Jan Camenisch - Summer School TrentoJune 30, 2016
References
% J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation. www.zurich.ibm.com/~jca/publications
% David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM, Vol. 24 No. 2, pp. 84—88, 1981.
% David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology – Proceedings of CRYPTO '82, 1983.
% David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in Communications of the ACM, Vol. 28 No. 10, 1985.
% Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: 126-144
% Victor Shoup: A computational introduction to Number Theory and Algebra. Available from: http://www.shoup.net/ntb/
% D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM.
% D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1988.
% J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances in Cryptology - CRYPTO 2003.
% T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology - CRYPTO '84.
http://www.zurich.ibm.com/~jca/publicationshttp://www.shoup.net/ntb/
-
© 2016 IBM Corporation144 Jan Camenisch - Summer School TrentoJune 30, 2016
Zero Knowledge Proofs: Security
Proof of Knowledge Property:If prover is successful with non-negl. probability, then she “knows” x = log g y ,
i.e., ones can extract x from her.
Assume c ∈ {0,1}k and consider execution tree:
c = 0 c = 2k-1.... x x x x
If success probability for any prover (including malicious ones)
is >2-k
then there are two accepting tuples (t,c1,s1) and (t,c2,s2) for the same t.
-
© 2016 IBM Corporation145 Jan Camenisch - Summer School TrentoJune 30, 2016
Zero Knowledge Proofs: Security
Prover might do protocol computation in any way it wants & we cannot analyse code.Thought experiment: % Assume we have prover as a black box we can reset and rerun prover→% Need to show how secret can be extracted via protocol interface
t
sc
t
s'c'
t = gs yc = gs' yc' → yc'-c = gs-s'
→ y = g(s-s')/(c'-c)
→ x = (s-s')/(c'-c) mod q
x x
-
© 2016 IBM Corporation146 Jan Camenisch - Summer School TrentoJune 30, 2016
Zero Knowledge Proofs: Security
Zero-knowledge property:If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea: One can simulate whatever Bob “sees”.
t
sc
Choose random c', s' compute t := gs' yc'
if c = c' send s' = s , otherwise restart
Problem: if domain of c too large, success probability becomes too small
-
© 2016 IBM Corporation147 Jan Camenisch - Summer School TrentoJune 30, 2016
One way to modify protocol to get large domain c:
t = gs yc ?
Prover:
random r t := gr
Verifier:
random c,v h := H(c,v)
h := H(c,v) ?s := r - cx
t
s
h
c,v
notation: PK{(α): y = gα }
Zero Knowledge Proofs: Security
y, gx
-
© 2016 IBM Corporation148 Jan Camenisch - Summer School TrentoJune 30, 2016
Zero Knowledge Proofs: Security
One way to modify protocol to get large domain c:
t
h
Choose random c', s' compute t' := gs' yc'
after having received c “reboot” verifier
Choose random scompute t := gs yc send s
s
t'
h
c,v
c,v
-
© 2016 IBM Corporation149 Jan Camenisch - Summer School TrentoJune 30, 2016
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does PK{(α1,β1,α2,β2, α3, β3): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3∧ C3 = gα1gα2hβ3 }
mean?
→ Prover knows values α1, β1, α2, β2, β3 such that
C1= gα1hβ1 , C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what about:PK{(α1,...,β3): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 C3∧ = gα1 (g5)α2hβ3 }
→ C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
-
© 2016 IBM Corporation150 Jan Camenisch - Summer School TrentoJune 30, 2016
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does PK{(α1,..,β3): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = C2α1hβ3 } mean?
→ Prover knows values α1, β1, α2, β2, β3 such that
C1= gα1hβ1 , C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2·α1hβ3+β2·α1
C3 = gα2·α1 hβ3+β2·α1 = gα3 hβ3'
a3 = a1 · a2 (mod q)
And what aboutPK{(α1,β1 β2): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C2 = C1α1hβ2 }
→ a2 = a12 (mod q)
-
© 2016 IBM Corporation151 Jan Camenisch - Summer School TrentoJune 30, 2016
Some Example Proofs and Their Analysis
Let g, h, C1, C2, C3 be group elements.
Now, what does PK{(α1,..,β2): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ g = (C2/C1)α1hβ2 } mean?
→ Prover knows values α, β1, β2 such that
C1= gα1hβ1
g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
→ g1/α1 = C2 g-α1h-β1 hβ2/α1
C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
-
© 2016 IBM Corporation152 Jan Camenisch - Summer School TrentoJune 30, 2016
Pedersen's Scheme:
Choose r Є Zq and compute c = gxhr
Perfectly hiding:Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur')+u(r-r')
= gx+ur'hr-r' for any r'!
I.e., given c and x' here exist r' such that c = gx'hr'
Computationally binding:Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr
Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q
Pedersen's Commitment Scheme
Slide 1FactsSlide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Standard public-key certificatesSlide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Presentation policySlide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide 73Slide 74Slide 75Slide 76Slide 77Slide 78Slide 79Slide 80Slide 81Slide 82Slide 83Slide 84Slide 85Slide 86Slide 87Slide 88Slide 89Slide 90Slide 91Slide 92Slide 93Slide 94Slide 95Slide 96Slide 97Slide 98Slide 99Slide 100Slide 101Slide 102Slide 103Slide 104Slide 105Slide 106Slide 107Slide 108Slide 109Slide 110Slide 111Slide 112Slide 113Slide 114Slide 115Slide 116Slide 117Slide 118Slide 119Slide 120Slide 121Slide 122Slide 123Slide 124Slide 125Slide 126Slide 127Slide 128Slide 129Slide 130Slide 131Slide 132Slide 133Slide 134Slide 135Slide 136Slide 137Slide 138Slide 139Slide 140Slide 141Slide 142Slide 143Slide 144Slide 145Slide 146Slide 147Slide 148Slide 149Slide 150Slide 151Slide 152