Anonymous Credentials

Gergely AlpárCollis – November 24, 2011

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 2

Crypt assumptions

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 3

Crypt assumptions

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 4

My assumptions

• Modular computation: addition, multiplication• Public-key cryptography• (PKI)• Cryptographic hash function• Concatenation

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 5

Overview

• Zero-knowledge proof of knowledge• Credentials• Discrete logarithm preliminaries• U-Prove• RSA preliminaries• Idemix• Comparison

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 6

Zero-knowledge proofs

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 7

Current practice

I know the password!I know the password! I don’t believe you.I don’t believe you.

It’s wachtw0ord201

1

It’s wachtw0ord201

1Yes, indeed.Yes, indeed.

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 8

Zero-knowledge proof

I know the secret!I know the secret! I don’t believe you.I don’t believe you.I can prove it.I can prove it. I'll believe it when I see it.

I'll believe it when I see it.

No, I don’t show it, but I’ll convince you

that I know it.

No, I don’t show it, but I’ll convince you

that I know it.

A hard problem

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 9

Waldo and ZK

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 10

Where’s Waldo?

Source: findwaldo.com // The Gobbling GluttonsIdea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 11

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 12

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 13

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 14

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 15

ZK – Ali baba’s cave

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 16

Credentials

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 17

Credential flow

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 18

Anonymity requirements

• Untraceability• Multi-show unlinkability • Selective disclosure • Attribute property proof • Revocation by user • Revocation by issuer

Age > 18Valid

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 19

High-level approaches

• Every time: issuing before showing (U-Prove, 1999)– Untraceability

• Showing with zero-knowledge proof (Idemix, 2001)– Untraceability and unlinkability

• Randomize (self-blindable, 2001)– Unlinkability and untraceability

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 20

History of anonymous credentials

1970 1980 1990 2000 2010

1976: Public-key crypto (Diffie & Hellman)

1978: RSA

1981: Digital pseudonym (Chaum)

1985: Zero-knowledge proof

(GMR)

1986: Non-interactive ZK (Fiat & Shamir)

1990-91: Schnorr identification and

signature

1999: U-Prove crypto (Brands)

2001: Idemix crypto (Camenisch & Lysyanskaya)

2002: Idemix JAVA implementation

2009: Light-weight Idemix impl. (IBM)

2010: Microsoft’s U-Prove impl.

2010-14: ABC4Trust (IBM & MS)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 21

Discrete logarithm – preliminaries

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 22

Modular computation

mod nax

mod nlogax

= 14 mod 4773 = 343 = 7.47 + 14

log7 14 = 3 mod 47

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 23

101

102 103

104

10x mod 53

x

Modular exponentiation

1013

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 24

log10 24 = ? mod 53log10 24 = ? mod 5310x mod 53

x

Discrete logarithm (p = 53, q = 13)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 25

Discrete logarithm (p = 389, q =97)13x mod 389

x

log13 193 = ? mod 389log13 193 = ? mod 389

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 26

p ~ 21024, q ~ 2160

120647512938908028867388901435622501660544582652084763778469179795603511596928068284302347645679661284502756586088182980185380205485840303823342758131447025760358124071773512320456087558761236652680084522358687865972828438154299478474984622198115039866220934797393671281602442459774704328099491586290681366721842531452715241719233458597619542522728958116591 = 54908600274008470198448664033645016278929009692729460183531661597245923990838629299281250570649704467074998536491481089013147840556922261199819117470352438726889035130940581816459311611337430791063760559062579953505419658290163926050903654308761279654642666891806788178269114799030238674475936287917164274641 (mod 147540829457233765072451123330814771849279870508740658191364766390571127595133276091294946062334381927384270351919254939797952329145575009188956176344993292905052474988906261438800251337646245695529118629813762877963253295780055957721171296243452181910303437299543284160580397044072404446659484077705433238843)

gb = h (mod p) where the order of g is q

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 27

Efficiently computable• Random numbers– 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8,

8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9

• Modular addition and multiplication– a . b + c (mod n)

• Modular exponentiation– 326 = 3(11010) = 32 .38 .316 = 3 (mod 11)

• 32 = 9 mod 11• 38 = (((9)2)2 mod 11 = 5 mod 11• 316 = 52 mod 11 = 3 mod 11

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 28

ZK as a basic building blockZero-knowledge (ZK) proof of knowledgeZero-knowledge (ZK) proof of knowledge Schnorr identificationSchnorr identification

Schnorr signatureSchnorr signature

U-Prove issuanceU-Prove issuance

Blind signatureBlind signature

U-Prove showingU-Prove showing

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 29

U-Prove

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 30

Crypt assumptionsDiscrete logarithm assumptionDiscrete logarithm assumption

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 31

Schnorr identification

• Complete (P: “If I know, I can convince you.”)• Sound (V: “If you don’t know, you cannot convince me.”)• Zero-knowledge

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 32

From outside

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 33

Simulation Zero-knowledgeness

Real communication Simulated communication

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 34

Schnorr identification

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 35

Schnorr identification

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 36

Non-interactive Schnorr (Fiat—Shamir)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 37

Schnorr signature (freshness)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 38

Schnorr signature

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 39

Schnorr blind signature

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 40

Schnorr blind signature

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 41

Credential flow

Issuing

Showing

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 42

DL representation

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 43

Brands’ issuing protocol (U-Prove)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 44

Brands’ showing protocol (U-Prove)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 45

• Certain attributes are revealed• Others are proven in the token but remaining

hidden

R

Selective disclosure (U-Prove)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 46

Selective disclosure (U-Prove)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 47

RSA – preliminaries

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 48

Crypt assumptionsInteger factorization is hardInteger factorization is hard

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 49

RSA signature – recap

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 50

Strong RSA assumption

Integer factorization

Integer factorization

n p, q

RSA problemRSA problemc, e m

Strong RSA problemStrong RSA problemc m, e

c = me (mod n)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 51

Idemix – selective disclosure

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 52

Camenisch—Lysyanskaya signature

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 53

Idemix issuing protocol (CL)*

* without intervalsPlus: freshness with nonces! SPKs

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 54

Randomized CL-signature

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 55

Idemix showing protocol*

* without intervalsPlus: freshness with a nonce! SPK

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 56

CL showing: selective disclosure*

* without intervalsPlus: freshness with a nonce! SPK

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 57

U-Prove vs. Idemix

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 58

Comparison of functionalities

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 59

Performance (client)

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 60

U-Prove selective disclosure

W. Mostowski, P. Vullers: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 61

Future of anonymous credentials…

• ABC4Trust• NSTIC (discussion by Francisco Corella)• W3C Identity in the browser

November 24, 2011. (Collis) G. Alpár: Anonymous credentials 62

Questions?

Gergely Alpargergely@cs.ru.nl

www.cs.ru.nl/~gergely