View
225
Download
0
Category
Tags:
Preview:
Citation preview
Anonymous Credentials
Gergely AlpárCollis – November 24, 2011
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 2
Crypt assumptions
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 3
Crypt assumptions
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 4
My assumptions
• Modular computation: addition, multiplication• Public-key cryptography• (PKI)• Cryptographic hash function• Concatenation
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 5
Overview
• Zero-knowledge proof of knowledge• Credentials• Discrete logarithm preliminaries• U-Prove• RSA preliminaries• Idemix• Comparison
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 6
Zero-knowledge proofs
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 7
Current practice
I know the password!I know the password! I don’t believe you.I don’t believe you.
It’s wachtw0ord201
1
It’s wachtw0ord201
1Yes, indeed.Yes, indeed.
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 8
Zero-knowledge proof
I know the secret!I know the secret! I don’t believe you.I don’t believe you.I can prove it.I can prove it. I'll believe it when I see it.
I'll believe it when I see it.
No, I don’t show it, but I’ll convince you
that I know it.
No, I don’t show it, but I’ll convince you
that I know it.
A hard problem
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 9
Waldo and ZK
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 10
Where’s Waldo?
Source: findwaldo.com // The Gobbling GluttonsIdea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 11
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 12
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 13
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 14
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 15
ZK – Ali baba’s cave
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 16
Credentials
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 17
Credential flow
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 18
Anonymity requirements
• Untraceability• Multi-show unlinkability • Selective disclosure • Attribute property proof • Revocation by user • Revocation by issuer
Age > 18Valid
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 19
High-level approaches
• Every time: issuing before showing (U-Prove, 1999)– Untraceability
• Showing with zero-knowledge proof (Idemix, 2001)– Untraceability and unlinkability
• Randomize (self-blindable, 2001)– Unlinkability and untraceability
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 20
History of anonymous credentials
1970 1980 1990 2000 2010
1976: Public-key crypto (Diffie & Hellman)
1978: RSA
1981: Digital pseudonym (Chaum)
1985: Zero-knowledge proof
(GMR)
1986: Non-interactive ZK (Fiat & Shamir)
1990-91: Schnorr identification and
signature
1999: U-Prove crypto (Brands)
2001: Idemix crypto (Camenisch & Lysyanskaya)
2002: Idemix JAVA implementation
2009: Light-weight Idemix impl. (IBM)
2010: Microsoft’s U-Prove impl.
2010-14: ABC4Trust (IBM & MS)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 21
Discrete logarithm – preliminaries
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 22
Modular computation
mod nax
mod nlogax
= 14 mod 4773 = 343 = 7.47 + 14
log7 14 = 3 mod 47
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 23
101
102 103
104
10x mod 53
x
Modular exponentiation
1013
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 24
log10 24 = ? mod 53log10 24 = ? mod 5310x mod 53
x
Discrete logarithm (p = 53, q = 13)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 25
Discrete logarithm (p = 389, q =97)13x mod 389
x
log13 193 = ? mod 389log13 193 = ? mod 389
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 26
p ~ 21024, q ~ 2160
120647512938908028867388901435622501660544582652084763778469179795603511596928068284302347645679661284502756586088182980185380205485840303823342758131447025760358124071773512320456087558761236652680084522358687865972828438154299478474984622198115039866220934797393671281602442459774704328099491586290681366721842531452715241719233458597619542522728958116591 = 54908600274008470198448664033645016278929009692729460183531661597245923990838629299281250570649704467074998536491481089013147840556922261199819117470352438726889035130940581816459311611337430791063760559062579953505419658290163926050903654308761279654642666891806788178269114799030238674475936287917164274641 (mod 147540829457233765072451123330814771849279870508740658191364766390571127595133276091294946062334381927384270351919254939797952329145575009188956176344993292905052474988906261438800251337646245695529118629813762877963253295780055957721171296243452181910303437299543284160580397044072404446659484077705433238843)
gb = h (mod p) where the order of g is q
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 27
Efficiently computable• Random numbers– 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8,
8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9
• Modular addition and multiplication– a . b + c (mod n)
• Modular exponentiation– 326 = 3(11010) = 32 .38 .316 = 3 (mod 11)
• 32 = 9 mod 11• 38 = (((9)2)2 mod 11 = 5 mod 11• 316 = 52 mod 11 = 3 mod 11
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 28
ZK as a basic building blockZero-knowledge (ZK) proof of knowledgeZero-knowledge (ZK) proof of knowledge Schnorr identificationSchnorr identification
Schnorr signatureSchnorr signature
U-Prove issuanceU-Prove issuance
Blind signatureBlind signature
U-Prove showingU-Prove showing
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 29
U-Prove
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 30
Crypt assumptionsDiscrete logarithm assumptionDiscrete logarithm assumption
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 31
Schnorr identification
• Complete (P: “If I know, I can convince you.”)• Sound (V: “If you don’t know, you cannot convince me.”)• Zero-knowledge
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 32
From outside
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 33
Simulation Zero-knowledgeness
Real communication Simulated communication
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 34
Schnorr identification
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 35
Schnorr identification
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 36
Non-interactive Schnorr (Fiat—Shamir)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 37
Schnorr signature (freshness)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 38
Schnorr signature
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 39
Schnorr blind signature
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 40
Schnorr blind signature
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 41
Credential flow
Issuing
Showing
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 42
DL representation
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 43
Brands’ issuing protocol (U-Prove)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 44
Brands’ showing protocol (U-Prove)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 45
• Certain attributes are revealed• Others are proven in the token but remaining
hidden
R
Selective disclosure (U-Prove)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 46
Selective disclosure (U-Prove)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 47
RSA – preliminaries
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 48
Crypt assumptionsInteger factorization is hardInteger factorization is hard
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 49
RSA signature – recap
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 50
Strong RSA assumption
Integer factorization
Integer factorization
n p, q
RSA problemRSA problemc, e m
Strong RSA problemStrong RSA problemc m, e
c = me (mod n)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 51
Idemix – selective disclosure
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 52
Camenisch—Lysyanskaya signature
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 53
Idemix issuing protocol (CL)*
* without intervalsPlus: freshness with nonces! SPKs
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 54
Randomized CL-signature
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 55
Idemix showing protocol*
* without intervalsPlus: freshness with a nonce! SPK
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 56
CL showing: selective disclosure*
* without intervalsPlus: freshness with a nonce! SPK
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 57
U-Prove vs. Idemix
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 58
Comparison of functionalities
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 59
Performance (client)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 60
U-Prove selective disclosure
W. Mostowski, P. Vullers: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 61
Future of anonymous credentials…
• ABC4Trust• NSTIC (discussion by Francisco Corella)• W3C Identity in the browser
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 62
Questions?
Gergely Alpargergely@cs.ru.nl
www.cs.ru.nl/~gergely
Recommended