September 20 th, 2006 U-Prove crypto overview Copyright © 2006, 9112-1772 Quebec Inc. Proprietary...
-
Upload
gladys-holland -
Category
Documents
-
view
217 -
download
0
Transcript of September 20 th, 2006 U-Prove crypto overview Copyright © 2006, 9112-1772 Quebec Inc. Proprietary...
September 20th, 2006
U-Prove crypto overview
Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
2Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Digital Credentials: Crypto basics (1)
• Computation is done in two algebraic structures
• Base elements live in a finite group Gq of prime order q– Property of any group: For g and h in Gq , g h is also in Gq
• Exponents live in the finite field q = {0, 1, 2, …, q - 1}
• Properties of the Gq structure that we exploit
• Basic fact: “order” of an element divides order of group– 1 has order 1, rest obviously does not have order 1
• Therefore all elements g other than 1 are generators– gx cycles through all elements in Gq for successive values of x– Can reduce exponents mod q
• Example: g a x + b = g (a x + b) mod q
• Underlying hard problem: DL problem• Given g ≠1 and a random h := gx, it is infeasible to find x
3Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Digital Credentials: Crypto basics (2)
• Technically, f(x) := gx is a one-way function:• Average case takes super-polynomial time
– Measured in size of base elements (“key length”)
• Two well-known constructions for Gq
• Gq is a sub-group of *p = {1, …, p-1}– Example: DSA, defined in FIPS186-2– Group operation: multiplication mod p– Fastest known algorithms take sub-exponential time– Typical parameter sizes: |p|=1024, |q|=160
• Gq is an elliptic curve over a finite field– More complicated– Fastest known algorithms take exponential time– Benefit: base elements need only be 160 - 200 bits to achieve
same level of protection as 1024-bit prime p above
4Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Digital Credentials: Crypto basics (3)
• We rely on a generalized form, h := g1x1 … gk
xk
• For k randomly chosen generators gi of Gq
• (x1,…, xk) is a representation of h w.r.t. (g1,…, gk)
• Basic properties we exploit:• Can compute h almost as fast as a single exponentiation
• f (x1,…, xk) := g1x1 … gk
xk is a one-way function– Can prove inverting is as hard as breaking DL problem
• f (x1,…, xk) := g1x1 … gk
xk is a collision-intractable function– You can only “know” 1 representation for a given h– Can prove that ability to find collisions means breaking DL
problem
• If a single one of the exponents is chosen at random, all the others are unconditionally hidden
– And so those k-1 exponents can represent arbitrary attribute data!
5Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
What a Digital Credential looks like
• Initial system set-up by Issuer:• Group Gq in which DL problem is hard• k randomly chosen generators gi of Gq
• Issuer’s own signing key pair – Issuing protocol & key pair not discussed in this presentation
• A Digital Credential consists of:• Attributes (x1,…, xk) that can represent any data
• A Digital Credential private key: (x1,…, xk,, ) is chosen at random by User from q and kept secret – User never discloses attributes remain unconditionally
hidden
• A Digital Credential public key: h := g1x
1 … gkx
k h0
• The Issuer’s digital signature, (h), on h (h) consists of a mere two or three 160-bit exponents
6Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Showing a Digital Credential
• User sends to Verifier:• A property of the attributes (x1,…, xk)
– User has fine-grained control over property (“selective disclosure”)
• The Digital Credential public key, h• The Issuer’s signature, (h), on h• The User’s own signature on a “nonce” of the Verifier
• About the User’s own signature to the Verifier• Made with Digital Credential private key, (x1,…, xk,, )
• To replay, dishonest Verifier would need to sign another nonce, but is never disclosed by the User …
• User’s signature also proves the disclosed property!– Reveals nothing beyond disclosed property, even if Issuer and
Verifier collude and would have infinite computing power !
7Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
How we accomplish this
• Core ingredient: proof of knowledge (“POK”)• Well-known idea from modern cryptography• Based on challenge-response mechanism
– (Naïve) example: The ability to decrypt any “challenge” message is a “proof” that you must know the secret decryption key
• We rely on provably secure POKs, two flavors:– Zero-knowledge proofs of knowledge (Verifier learns nothing)– Signed proofs of knowledge (for non-repudiation)
• Verifier is left with evidence that POK took place (but nothing more!)
• We do: POK of a representation of H with respect to generators (G1, … Gt), with a special twist!
• H and G1, … Gt are modified forms of h, g1,… , gk,h0, where the modifications depend on the property to be disclosed
– To ensure User can disclose properties of secret as part of POK
8Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Example 1: User discloses attribute x1
• User sends to Verifier:• Disclosed property: x1
– Note: h = g1x1 … gk
xk h0 h / g1
x1 = g2x2 … gk
xk h0
• As usual: h and (h)• User’s signature: (signed) POK of knowledge of a
representation of h / g1x1 with respect to (g2,…, gk ,h0 )
– This is done using the “basic” POK of a representation, but switching to a “new” PK and a new tuple of base elements!
• The effect: • User discloses x1 and proves knowledge of x2, …, xk
without revealing anything about them (nor about )• User cannot lie about x1 (if so, User would not be
able to prove knowledge of a representation)
9Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Just how efficient is this?
Note: Showing protocol is collapsed into a single move. (Nonce can be the concatenation of a
Verifier “identifier” and a granular measurement of the time-of-day, say.)
Example: Digital Credential with 3 attributes, User discloses x2
No exponentiations!
Note: almost all are 20-byte numbers, and with Elliptic Curves all of them are
Issuer’s signature
POK that proves x2 is correct
10Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Example 2: User discloses linear relations
• Example scenario:• Digital Credential with 3 attributes: h := g1
x1 g2x2 g3
x3 h0
• User wants to disclose the property(x1 = 2 x3 + 3 mod q) AND (x2 = 4 x3 + 5 mod q)
• Note: h = g1x1 g2
x2 g3x3 h0
h = g12x3+3 g2
4x3+5 g3x3 h0
h / (g1
3 g25 ) = (g1
2 g24 g3 )x3 h0
• Therefore: User proves knowledge of a representation of h / (g1
3 g25 ) with respect to (g1
2 g24 g3 , h0)
• Remember:• Security is always computational • But privacy control is always unconditional !
11Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Example 3: User discloses a “negation”
• Example scenario:• Digital Credential with 1 attribute: h := g1
x1 h0
• User wants to disclose the property x1 3 mod q
• Note: x1 3 x1 = 3 - mod q for some 0 mod q h = g1
x1 h0 h = g1
3 - h0
h1/ = g13/ g1
-1 h0/ g1 = (g1
3 / h)1/ h0/
Therefore: User proves knowledge of a representation of g1 with respect to g1
3 / h
• Useful in practice:• User can prove she is not listed on a blacklist without
revealing her identity (x1 represents unique User identifier)
• Practical even for moderately long blacklists
12Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Other showing techniques
• Disclosed property can combine any linear relations with AND, OR and NOT connectives
• User can prove that attribute lies in an interval• Example: suppose x1 represents the User’s age:
– to prove he is a minor, the User proves (discloses) x1 17 mod q
• User can prove relations between attributes in multiple Digital credentials
• Even if issued by different Issuers
• Multiple Users can prove relations between attributes in their Digital credentials
• “At least one of us is a citizen of the country of entry”• They don’t need to open up their secret keys to each other!
13Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
A typical issuing protocol
Public Key
Issuer’s signature
20-byte numbers
14Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Additional techniques (1)
• Smartcard extension• User cannot show Digital Credential without card’s help• Card cannot leak any User information to outside world
– User’s own computer moderates all data exchanges on the fly– Even if smartcard, Issuer, and Verifier collude with infinite power!
• Issuer certifies attributes without seeing them• “Registration Authority” or User could provide them• Issuer can encode the SK of a User smartcard
– Many Issuers can piggyback on security of a single smartcard!– All application credentials remain “fire-walled”
• Issuer can update attributes without seeing them
• E.g., loyalty tokens, DRM
• Privacy for Verifiers
15Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential
Additional techniques (2)
• Prevent lending, pooling, and discarding• All exploit the fact that User must know all attributes in
the Digital Credential to do the showing protocol POK, even if some or all are not disclosed …
• Limited-show Digital Credentials• Prevents showing a Digital Credential too many times• Example: off-line e-cash
– Each e-coin is a one-show Digital Credential with two attributes• User identifier encoded at issuing time by the Issuer (the bank)• The coin denomination & optional data (e.g, smartcard indicator
bit)– Honest Users are untraceable– Double-spending enables Issuer to trace double-spending User
• Adding a User smartcard can serve as second line of defense
• Can be generalized to t-show (e.g., a 10-show e-ticket)