© 2014 IBM Corporation August 11, 2015 Anonymous Credentials Jan Camenisch IBM Research – Zurich @jancamenisch www.camenisch.org/eprivacy
copy 2014 IBM CorporationAugust 11 2015
Anonymous Credentials
Jan CamenischIBM Research ndash Zurich
jancamenischwwwcamenischorgeprivacy
copy 2014 IBM Corporation2
ᄅ
Houston we have a problem
copy 2014 IBM Corporation3
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2014 IBM Corporation4
Computers dont forget
Data storage ever cheaper rarr ldquostore by defaultrdquo ndash also collateral collection surveillance cameras Google Street
View with wireless traffic Apple location history
Data mining ever betterndash self-training algorithms cleverer than their designersndash not just trend detection even prediction eg flu
pandemics ad clicks purchaseshellipndash what about health insurance criminal behavior
The world as we know itndash Humans forget most things too quicklyndash Paper collects dust in drawers
We build apps with the paper-based world in mind -(ndash if it works it worksndash security too often still an afterthoughtndash implementors too often have no crypto education
copy 2014 IBM Corporation5
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Not visible to users and expertsndash Data processing changes constantly
And the cloud makes it worsendash Processing machines can be moved around wout borders
Far too easy to lose (control over) data and to collect data
copy 2014 IBM Corporation6
You have no privacy get over it
hellip ldquoThe NSA has all our data anywayrdquohellip ldquoI have nothing to hiderdquo
Huge security problemndash Millions of hacked passwords (100000 followers $115 - 2013)ndash Stolen identities ($150 - 2005 $15 - 2009 $5 ndash 2013)
Difficult to put figures downndash Credit card fraud ndash Spam amp marketing ndash Manipulating stock ratings etcndash (Industrial) espionage
We know secret services can do it easily but they are not the only onesndash but this is not about homeland securityndash and there are limits to the degree of protection that one can achieve
last but not least data are the new money so they need to be protected
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation2
ᄅ
Houston we have a problem
copy 2014 IBM Corporation3
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2014 IBM Corporation4
Computers dont forget
Data storage ever cheaper rarr ldquostore by defaultrdquo ndash also collateral collection surveillance cameras Google Street
View with wireless traffic Apple location history
Data mining ever betterndash self-training algorithms cleverer than their designersndash not just trend detection even prediction eg flu
pandemics ad clicks purchaseshellipndash what about health insurance criminal behavior
The world as we know itndash Humans forget most things too quicklyndash Paper collects dust in drawers
We build apps with the paper-based world in mind -(ndash if it works it worksndash security too often still an afterthoughtndash implementors too often have no crypto education
copy 2014 IBM Corporation5
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Not visible to users and expertsndash Data processing changes constantly
And the cloud makes it worsendash Processing machines can be moved around wout borders
Far too easy to lose (control over) data and to collect data
copy 2014 IBM Corporation6
You have no privacy get over it
hellip ldquoThe NSA has all our data anywayrdquohellip ldquoI have nothing to hiderdquo
Huge security problemndash Millions of hacked passwords (100000 followers $115 - 2013)ndash Stolen identities ($150 - 2005 $15 - 2009 $5 ndash 2013)
Difficult to put figures downndash Credit card fraud ndash Spam amp marketing ndash Manipulating stock ratings etcndash (Industrial) espionage
We know secret services can do it easily but they are not the only onesndash but this is not about homeland securityndash and there are limits to the degree of protection that one can achieve
last but not least data are the new money so they need to be protected
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation3
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2014 IBM Corporation4
Computers dont forget
Data storage ever cheaper rarr ldquostore by defaultrdquo ndash also collateral collection surveillance cameras Google Street
View with wireless traffic Apple location history
Data mining ever betterndash self-training algorithms cleverer than their designersndash not just trend detection even prediction eg flu
pandemics ad clicks purchaseshellipndash what about health insurance criminal behavior
The world as we know itndash Humans forget most things too quicklyndash Paper collects dust in drawers
We build apps with the paper-based world in mind -(ndash if it works it worksndash security too often still an afterthoughtndash implementors too often have no crypto education
copy 2014 IBM Corporation5
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Not visible to users and expertsndash Data processing changes constantly
And the cloud makes it worsendash Processing machines can be moved around wout borders
Far too easy to lose (control over) data and to collect data
copy 2014 IBM Corporation6
You have no privacy get over it
hellip ldquoThe NSA has all our data anywayrdquohellip ldquoI have nothing to hiderdquo
Huge security problemndash Millions of hacked passwords (100000 followers $115 - 2013)ndash Stolen identities ($150 - 2005 $15 - 2009 $5 ndash 2013)
Difficult to put figures downndash Credit card fraud ndash Spam amp marketing ndash Manipulating stock ratings etcndash (Industrial) espionage
We know secret services can do it easily but they are not the only onesndash but this is not about homeland securityndash and there are limits to the degree of protection that one can achieve
last but not least data are the new money so they need to be protected
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation4
Computers dont forget
Data storage ever cheaper rarr ldquostore by defaultrdquo ndash also collateral collection surveillance cameras Google Street
View with wireless traffic Apple location history
Data mining ever betterndash self-training algorithms cleverer than their designersndash not just trend detection even prediction eg flu
pandemics ad clicks purchaseshellipndash what about health insurance criminal behavior
The world as we know itndash Humans forget most things too quicklyndash Paper collects dust in drawers
We build apps with the paper-based world in mind -(ndash if it works it worksndash security too often still an afterthoughtndash implementors too often have no crypto education
copy 2014 IBM Corporation5
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Not visible to users and expertsndash Data processing changes constantly
And the cloud makes it worsendash Processing machines can be moved around wout borders
Far too easy to lose (control over) data and to collect data
copy 2014 IBM Corporation6
You have no privacy get over it
hellip ldquoThe NSA has all our data anywayrdquohellip ldquoI have nothing to hiderdquo
Huge security problemndash Millions of hacked passwords (100000 followers $115 - 2013)ndash Stolen identities ($150 - 2005 $15 - 2009 $5 ndash 2013)
Difficult to put figures downndash Credit card fraud ndash Spam amp marketing ndash Manipulating stock ratings etcndash (Industrial) espionage
We know secret services can do it easily but they are not the only onesndash but this is not about homeland securityndash and there are limits to the degree of protection that one can achieve
last but not least data are the new money so they need to be protected
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation5
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Not visible to users and expertsndash Data processing changes constantly
And the cloud makes it worsendash Processing machines can be moved around wout borders
Far too easy to lose (control over) data and to collect data
copy 2014 IBM Corporation6
You have no privacy get over it
hellip ldquoThe NSA has all our data anywayrdquohellip ldquoI have nothing to hiderdquo
Huge security problemndash Millions of hacked passwords (100000 followers $115 - 2013)ndash Stolen identities ($150 - 2005 $15 - 2009 $5 ndash 2013)
Difficult to put figures downndash Credit card fraud ndash Spam amp marketing ndash Manipulating stock ratings etcndash (Industrial) espionage
We know secret services can do it easily but they are not the only onesndash but this is not about homeland securityndash and there are limits to the degree of protection that one can achieve
last but not least data are the new money so they need to be protected
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation6
You have no privacy get over it
hellip ldquoThe NSA has all our data anywayrdquohellip ldquoI have nothing to hiderdquo
Huge security problemndash Millions of hacked passwords (100000 followers $115 - 2013)ndash Stolen identities ($150 - 2005 $15 - 2009 $5 ndash 2013)
Difficult to put figures downndash Credit card fraud ndash Spam amp marketing ndash Manipulating stock ratings etcndash (Industrial) espionage
We know secret services can do it easily but they are not the only onesndash but this is not about homeland securityndash and there are limits to the degree of protection that one can achieve
last but not least data are the new money so they need to be protected
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation7
Privacy ndash a lost case
No but we need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation8
Need to protect our data
devices sensors etc cannot all be physically protectedndash authentication of all devices ndash authentication of all data
makes it even worse -(
data cannot be controlledndash minimize information ndash encrypt information ndash attach usage policies to each bit
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
So what can we do
Legal approachndashRegulate what information can be collectedndashHow to collect itndashHow to use and protect itndashIssue fines for misbehaviorndashVery different for different countries and cultures
Technological approachndashProtect data by encryptionndashGovern data by policiesndashMinimize data that needs to be used
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
of course there are limits
tracing is so easyndash each piece of hardware is quite unique
ndash log files everywhere
hellip but thats not the pointndash its not about NSA et alndash active vs passive ldquoadversariesrdquo
still privacy by design
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Our Vision In the Information Society users can act and interact in a safe and secure way while retaining control of their private spheres
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation12
PETs Can Help
Privacy Identity and Trust Mgmt Built-In EverywhereNetwork Layer Anonymity
ndash in mobile phone networksndash in the Future Internet as currently discussedndash access points for ID cards
Identification LayerndashAccess control amp authorization
Application LayerndashldquoStandardrdquo e-Commerce ndashSpecific Apps eg eVoting OT PIR ndashWeb 20 eg Facebook Twitter Wikis
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation13 August 11 2015
Privacy at the Authentication Layer
Authentication without identification
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation14 August 11 2015
What is an identity amp identity management
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick name blood group
health care
marital status
birth date
health status
insurance
ID set of attributes shared w someonendash attributes are not static user amp party can add
ID Management two things to make ID usefulndash authentication meansndash means to transport attributes between parties
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation15 August 11 2015
Lets see a scenario
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Alice wants to watch a movie at Mplex
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problembull - identity theftbull - profiling bull - discrimination
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation21 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation22 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation23 August 11 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Identity Mixer solves this
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with IBM Identity Mixer
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with IBM Identity Mixer
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation27 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation28
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation29
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation30
Privacy-protecting authentication with IBM Identity Mixer
Alice
I wish to see Alice in Wonderland
You need- subscription- be older than 12
Movie Streaming Service
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Like PKI but does not send credential only minimal disclosure
Privacy-protecting authentication with IBM Identity Mixer
Alice
Movie Streaming Service
- valid subscription - eID with age ge 12
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation32 August 11 2015
Privacy-protecting authentication with IBM Identity Mixer
Alice
Aha you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI but does not send credential only minimal disclosure (Public Verification Key
of issuer)
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation33
Advantages of Identity Mixer
For Users privacyndash minimizing disclosure of personal data ndash keeping their identities safendash pseudonymousanonymous access
For Service Providers security accountability and compliancendash avoiding the risk of loosing personal data if it gets stolenndash compliance with legislation (access control rules personal data protection)ndash strong authentication (cryptographic proofs replace usernamespasswords) ndash user identification if required (under certain circumstances)
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Demo
Try yourself at wwwibmbizidentitymixer on Privacy Day (January 28)
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation35 August 11 2015
Further Concepts
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation36 August 11 2015
TTP
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation37 August 11 2015
bull If Alice was speeding license needs to be revoked
bull There are many different use cases and many solutionsbull Variants of CRL work (using crypto to maintain anonymity)
bull Accumulatorsbull Signing entries amp Proof
bull Limited validity ndash certs need to be updated bull For proving age a revoked drivers license still works
Revocation authority parameters (public key)
Revocation info
Concept ndash Revocation
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation38 August 11 2015
Concept ndash Usage Limitation
Degree of anonymity can be limited
If Alice and Eve are on-line at the same time they are caught
Use Limitation ndash anonymous untilndash If Alice used certs gt 100 times total ndash or gt 10000 times with Bob
Alices cert can be bound to hardware token (eg TPM)
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation39 August 11 2015
A couple of use cases
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation40
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for youngold people
Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation41
Healthcare
Anonymous access to patients recordsndash accessing medical test results
Anonymous consultations with specialistsndash online chat with a psychologist ndash online consultation with IBM Watson
Eligibility for the premium health insurancendash proving that the body mass index (BMI) is in the certain range without disclosing the
exact weight height or BMI
Anonymous treatment of patients (while enabling access control and payments)
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation42
Subscriptions membership
Patent databases
DNA databases
NewsJournalsMagazines
Transportation tickets toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation43
Polls recommendation platforms
Online polls ndash applying different restrictions on the poll participants location citizenship
Rating and feedback platformsndash anonymous feedback for a course only from the students who attended itndash wikisndash recommendation platforms
Providing anonymous but at the same time legitimate feedback
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation44 August 11 2015
Towards Realizing Anonymous Creds
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
An Software Stack View on Identity Mixer
policylayer
cryptolayer
applicationlayer
resource request
presentation tokenpresentation policy
Wallet
policy credentialmatcher
credential mgr
store
evidence genorchestration
policy tokenmatcher
token mgr
store
evidence veriforchestration
Sig Enc Com ZKP
AC amp app logic
Sig Enc Com ZKP
store
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation46 August 11 2015
Privacy-protecting authentication with Privacy ABCs
12 lt age
(Issuer parameter)
Credential
Presentation token Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation47 August 11 2015User Verifier
presentation policy
presentation token
The Policy Layer ndash An Example Presentation policy
ltabcPresentationPolicy PolicyUID=httpsmoviescompresentationpoliciesmovie1gt ltabcMessagegt ltabcApplicationDatagt Terms and Conditions ltabcApplicationDatagt ltabcMessagegt
ltabcCredential Alias=vouchergt ltabcCredentialSpecAlternativesgt ltabcCredentialSpecUIDgthttpsmoviescomspecificationsvoucherltabcCredentialSpecUIDgt ltabcCredentialSpecAlternativesgt ltabcIssuerAlternativesgt ltabcIssuerParametersUIDgthttpsmoviescomparametersvoucherltabcIssuerParametersUIDgt ltabcIssuerAlternativesgt ltabcCredentialgt
ltabcAttributePredicate Function=urnoasisnamestcxacml10functiondateTime-geqgt ltabcAttribute CredentialAlias=voucher AttributeType=Expires gt ltabcConstantValuegt2014-06-17T140600ZltabcConstantValuegt ltabcAttributePredicategt ltabcPresentationPolicygt
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation48 August 11 2015
So lets look at the cryptography
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
Required Technologies
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation50 August 11 2015
zero-knowledge proofs
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation51 August 11 2015
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties
zero-knowledgeverifier learns nothing about the provers secret
proof of knowledge (soundness)prover can convince verifier only if she knows the secret
completenessif prover knows the secret she can always convince the verifier
Commitment
Challenge
Response
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation52 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs
Proof of knowledge if a prover can successfully convince a verifier then the secret need to be extractable
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
Zero-knowledge property
If verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation55 August 11 2015
One way to modify protocol to get large domain c
t = gs yc
Prover
random r
t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation57 August 11 2015
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation58 August 11 2015
From Protocols To Signatures
Signing a message m- chose random r Є Zq and
- compute c = H(gr||m) = H(t||m) s = r - cx mod (q)
- output (cs)
Verifying a signature (cs) on a message m
- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation59 August 11 2015
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα
PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
SPK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)
PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation60 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
rarr α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
rarr a3 = a1 + 5 a2 (mod q)
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation61 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
rarr a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation62 August 11 2015
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation63 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation64 August 11 2015
signature schemes
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
Key Generation
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
mlσl
σ and mne mi st ver(σ m ) = true
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation72 August 11 2015
RSA Signature Scheme ndash for reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation73 August 11 2015
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation74 August 11 2015
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation75 August 11 2015
To verify a signature (ces) on messages m1 mk
m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod nTheorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation76 August 11 2015
Recall d = ce a1m1a2m2 bs mod n
Observe
Let c = c btmod n with randomly chosen t
Then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c
PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation77 August 11 2015
Privacy-protecting authentication with Privacy ABCs
Alice
signature scheme
commitment scheme
zero-knowledge proofs
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation78 August 11 2015
commitment scheme
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hiding
Let c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation88 August 11 2015
putting things together
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation89 August 11 2015
Realizing Pseudonyms and Key Binding
Let G = ltggt = lthgt of order q
Users secret key random sk isin Zq
To compute a pseudonym Nym ndash Choose random r isin Zq ndash Compute Nym = gskhr
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation90 August 11 2015
Like PKI but better
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept credentials
Name = Alice DoeBirth date = April 3 1997
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation91 August 11 2015
Realizing Issuance of Credential
Recall a signature (ces) on messages m1 mkndashm1 mk Є 01ℓndashe gt 2ℓ+1 ndashd = ce a1
m1 akmk bs mod n
Problem Pseudonym not in message space
Solution Sign secret key instead
rarr d = ce a1sk a2
m2 akmk bs mod n
New Problem how can we sign a secret message
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
( mj+1 mk)
σ
ver(σ(m1 mk) ) = trueσ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same as for signatures but
bull signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
C = a1sk bs
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
C name
Realizing Issuance of Credential
n ai b d
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
Realizing Issuance of Credential
(cesrdquo)
n ai b d
C name
c = (dC a2name bsrdquo)1e mod n
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
d = ce a1sk a2
name bsrdquo + s (mod n)
PK(micro1 σ
) C =
a 1micro1 b
σ
C = a1sk bs
(cesrdquo)
c = (dC a2
name bsrdquo)1e mod n
Realizing Issuance of Credential
n ai b d
C name
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Realizing Issuance of Credential
n ai b dWant to sign wrt Nym = gskhr
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
PK(micro1 ρσ
) Nym = g
micro1 hρ ⋀
C = a 1micro1 a 2
ρ b σ
Nym = gskhr
C = a1sk a2
r bs
Realizing Issuance of Credential
n ai b d
C Nym
name
Want to sign wrt Nym = gskhr
c = (dC a3name bsrdquo)1e mod n
stores Nym name
d = ce a1ska2
ra3name bsrdquo + s (mod n)
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
October 28 201491 copy 2013 IBM Corporation
An Example Scenario
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Polling Scenario and Requirements
ScenarioPollster(s) and a number of usersOnly registered user (eg students who took a course) can voice
opinion (eg course evaluation)User can voice opinion only once (subsequent attempts are
dropped)Users want to be anonymous A users opinion in different polls must not be linkable
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Registration
User generates pseudonym (ID for registration)User obtains credential on pseudonym stating that she is eligible
for polls ie (ces)
d = ce a1ska2
r a3attr bs (mod n)
Credential can contain attributes (eg course ID) about her
(na1a2bd)
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Submit Poll
1 User generates domain pseudonym domain = pollID
2 User transforms credential
3 Transformed credential with a subset of the attributesndash User is anonymous and unlinkable
ndash Multiple opinions are detected because uniqueness of domain pseudonym
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Polling ndash Solution Polling
1 Domain pseudonym P = gdsk = H(pollID)sk
P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble
(under the Decisional Diffie-Hellman assumption)
2 User transforms credential ndash c = c bsmod n with randomly chosen sndash SPK(ε micro1 micro2 micro3σ) P = gd
micro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n) ⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation104 August 11 2015
Further Concepts
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation105 August 11 2015
TTP
Inspector parameters
Inspection grounds
bull If car is damaged ID with insurance or govt needs be retrieved
bull Similarly verifiably encrypt any certified attribute (optional)
bull TTP is off-line amp can be distributed to lessen trust
Concept ndash Inspection
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Public Key Encryption
Key Generation
Encryption
Decryption
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Security
Like Envelopes
No info about message
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Security
or
Like Envelopes
This is called semantic security (secure if used once only or within careful construction)
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
Label is important to bind context to an encryptionEg defines decryption condition binds user to car etcSecurity definition change of label is new ciphertext
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption with Label
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Verifiable Encryption
Of attributes (discrete logarithm)ndashCamenisch-Shoup (SRSA) ndash based on Paillier Encryption
Of pseudonyms (group elements) ndashCramer-Shoup (DL) or rarely ElGamal (DL)
Otherwise (any secret for which ZKPK exists)ndashCamenisch-Damgaard works for any scheme but much less efficient
Open Problem to find new ones
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
ElGamal Encryption Scheme
Group G = ltggt of order q
Secret Key Group x Є 1q Public key y = gx
To encrypt message m Є ltggtndash choose random r Є 1q ndash compute c = (yr m gr)
To decrypt ciphertext c = (c1c2)
ndash We know c = (yr m gr) = (gxr m gr)
ndash Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Realizing Inspection
Nym = gskhr
d = ce a1ska2
ra3name bsrdquo + s (mod n)
Nym
y= gx
Encrypt Nym random u Є 1q and enc = (yu Nym gu) = (e1e2) Compute proof token (presentation token)
ndash compute c = c btmod n with randomly chosen t ndash compute proof
PK(ε micro1 micro2 micro3 σ)
d = cε a1micro1a2micro2a3micro3b σ and e1 = yρ gmicro1hmicro2 and e2 = gρ and
raquo micro1 micro3 micro3 Є 01ℓ and ε gt 2ℓ+1
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation
Revocation of credentials
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation115 August 11 2015
publishes
revocation info
looks up
Alice should be able to convince verifier that her credential is among the good ones
Anonymous Credential Revocation
various reasons to revoke credential user lost credential secret key misbehavior of user
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation116 August 11 2015
Anonymous Credential Revocation
Pseudonyms rarr standard revocation lists dont work
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials First Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all valid (or invalid) uis(u1 uk)
Alice proves that her ui is on the listndashChoose random gndashCompute Uj = guj for uj in (u1 uk)ndashProve PK(ε micro ρ σ) ( d = cε a1
ρa2micro b σ (n) and U1 = gmicro )
or ampamp amp or(d = cε a1ρa2
micro b σ (mod n) and Uk =
gmicro ) Not very efficient ie linear in size k of list -(
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Include into credential some credential ID ui as message eg d = ce a1
ska2ui bsrdquo + s (mod n)
Publish list of all invalid uis(u1 uk)
Alice proves that her ui is not on the listndash Choose random h and compute U = hui
ndash Prove PK(ε micro ρ σ) d = cε a1ρa2
micro b σ (mod n)
and U = hmicro ndash Verifier checks whether U = huj for all uj on the list
Better as only verifier needs to do linear work (and it can be improved using so-call batch-verification)
What happens if we make the list of all valid uis public
If credential is revoked all past transactions become linkable
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Second Solution
Variation verifier could choose h and keep it fixed for a while
Can pre-compute list Ui = hui
rarr single table lookup BUT if user comes again verifier can link ALSO verifier could not change h at all or use the same as other
verifiersndashone way out h = H(verifier date) so user can check correctnessndashdate could be the time up to seconds and the verifier could just store
all the lists ie pre-compute it
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
hellip better implementation of proof
3
Sig( 0 1)Sig(14)Sig(45)Sig(5 N )
contains where
i lt ltj and Sig(ij)
Issuer signs intervals between revoked
rarr revocation list 145
Verifier does not learn i j
3
33
Sig(ij) can be realised also with credential signature scheme using different public key
Revocable Credentials Second Solution
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof requires witness
Issuer accumulates all good serial numbers
credentials contain random serial number
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
1
6 54
3
2
2
contains that
is included in
Proof would require witness
to revoke 2 issuer publishes new accumulator amp new witnesses for unrevoked credentials
22
Revocable Credentials Third Solution
Using cryptographic accumulators
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Using so-called cryptographic accumulators Key setup RSA modulus n seed v
Accumulate ndash values are primes eindash accumulator value z = v Π ei mod nndash publish z and nndash witness value x for ej st z = x ej mod n
can be computed as x = v e1middotmiddotej-1 middot ej+1middotmiddotek mod n
Show that your value e is contained in accumulatorndash provide x for endash verifier checks z = x e mod n
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
1
6 54
3
2
Security of accumulator show that e st z = x e mod n for e that is not contained in accumulator
ndash For fixed e Equivalent to RSA assumption ndash Any e Equivalent to Strong RSA assumption
Revocation Each cert is associated with an e and each user gets witness x with certificate But we still need
ndash Efficient protocol to prove that committed value is contained in accumulator
ndash Dynamic accumulator ie ability to remove and add values to accumulator as certificates come and go
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
Prove that your key is in accumulatorndashCommit to x
bull choose random s and g and bull compute U1 = x hs U2 = gs and reveal U1 U2 g
ndashRun proof-protocol with verifier PK(ε micro ρ σ ξ δ)
d = cε a1ρa2
micro b σ (mod n) and z = U1micro(1h)ξ (mod n)
and 1 = U2micro(1g)ξ (mod n) and U2 = gδ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocable Credentials Third Solution
AnalysisndashNo information about x and e is revealed
bull (U1 U2) is a secure commitment to xbull proof-protocol is zero-knowledge
ndashProof is indeed proving that e contained in the certificate is also contained in the accumulatora) 1 = U2micro(1g)ξ = (gδ)micro (1g)ξ (mod n)
=gt ξ = δ microb) z = U1micro(1h)ξ =U1micro(1h)δ micro =(U1hδ )micro (mod n)c) d = cε a1
ρa2micro b σ (mod n)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator
When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod n
ndashThus z = z enew mod n
ndashBut then all witnesses are no longer valid ie need to be updated x = x enew mod n
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution
Dynamic Accumulator When a certificate containing erev revoked
ndashNow z = v Π ei = z 1erev mod n ndashWitness
bull Use Ext Euclid to compute a and b st a eown + b erev = 1
bull Now x = x b z a mod n bull Why xeown= ((x b z a )eown) erev 1erev mod n
= ((x b z a )eown erev ) 1erevmod n = ((x eown) b erev (z erev) a eown) 1erev mod n = (z b erev z a eown ) 1erev mod n
= z 1erev mod n = z -)
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
Revocation Third Solution (improved)
Dynamic Accumulator in case the issuer knows the factorization of n When a new user gets a certificate containing enew
ndashRecall z = v Π ei mod nndashActually v never occurs anywhere so v = v 1enew mod n and x = z 1enew mod n
ndashThus z needs not to be changed in case new member joins
Witnesses need to be recomputed upon revocation only
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation130 August 11 2015
no additional effort for verifier
if credential is validrarr no need to check revocation updates from issuer
Revocation Zeroth Solution
Update of Credentials encode validity time as attribute
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
U
(cesrdquo)
U = a1m1a2
m2 bsChoose esrdquo
c = (d(Ua3m3a4
time bsrdquo ))1e
mod n
Revocation Zeroth Solution
Re-issue certificates
(off-line ndash interaction might be too expensive)
Recall issuing for identity mixer
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
(cieisirdquo)
Revocation Zeroth Solution
Re-issue certificates (off-line ndash interaction might be too expensive)
Idea just repeat last step for each new time time
Update information (cieisirdquo) can be pushed to user by many different means
Choose eisirdquo
ci = (d(Ua3m3a4
time bsirdquo ))1ei mod n
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation133 August 11 2015
Conclusions
Roadmapndash Explain possibilities to engineers policy makers etcndash Usable prototypes ndash Provide transparency ndash Public infrastructure for privacy protectionndash Laws with teeth (encourage investment in privacy)
Challengesndash Internet services get paid with personal data (inverse incentive)ndash End users are not able to handle their data (user interfaces)ndash Security technology typically invisible and hard to sell
Towards a secure information societyndash Society changes quickly and gets shaped by technology ndash Consequences are hard to grasp (time will show)ndash We must inform and engage in a dialog
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM Corporation134 August 11 2015
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
copy 2014 IBM CorporationAugust 11 2015
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84