University of Groningen - Mathematics department TNO ICT Security group
Master’s Thesis / Internship Luuk Danes
Smart card integration in the pseudonym system idemix
2
Introduction
• Master’s Thesis for Mathematics• Internship at TNO ICT
• Presentation for the TNO ICT Security Group (May 2007):• The properties of idemix• Aspects on privacy and identity theft• Ideas for implementation
• This presentation:• Less about the properties of idemix• More about protocols and mathematics• Integration of a smart card in idemix
3
Overview
• Context
• idemix
• Use case
• Smart card integration
• Building blocks of idemix
• Zero-knowledge proofs
• Complications on smart card integration
• Solutions for smart card integration
4
Context / pseudonymity
• A new approach:Don not ask for an identity, ask for what you need.
• Using pseudonyms:It does not matter which identity someone has, but which credentials he owns.
• If an organisation does not have your identity information,it can not leak or link it.
• Unlinkability
5
idemix
• IdeMix: identity mixer
• A pseudonym system, developed by IBM
• It consists of mathematical protocols
• Pseudonyms• A user communicates under pseudonyms with organisations• A pseudonym is bound to an identity
• Credentials• Organisations sign combinations of a pseudonym
and a statement concerning the user
6
Use case
Rent-a-car
: Car Rental
7
Use case: Car Rental
My name is Alex
Authorisation
Name, Date of Birth, Place of Birth, Address, Social Security Number
8
Authorisation
Use case: Car Rental using
I am Alex
Alex owns a driver’s license
I am BobBob owns a driver’s license
9
Can we integrate a smart card in idemix ?
10
Building blocks of idemix
• User’s master key xU
• Public Key of an organisation (nO,aO,bO,dO,gO,hO)• nO special RSA modulus, nO = pq = (2p’+1)(2q’+1)• aO, bO,dO,gO,hO in the group of Quadratic Residues QRnO
• Pseudonyms of a user with an organisation PUO• Binding to xU• Hiding xU• PUO = aO
Xu bOSuo mod nO
• Credential triples (c,e,r)• ‘A RSA-signature on the combination of
a pseudonym and a credential identifier’• ce = PUO br dO mod nO • c = (PUO br dO)d with d such that de = 1 mod Φ(nO)
Setup
FormNym
GrantCred
11
Building blocks of idemix
• Verify that the user owns a triple (c,e,r) such that ce = PUO br dO mod nO for a specific credential value dO
• Check that it is bound to a user’s master key xU
• The values c, e, r, xU, sUO must remain secretto avoid linkability
• Verify that the user owns a triple (c,e,r) obtained from the Issuer. And the pseudonym at the Issuer and the Verifier are bound to the same user.
• As in VerifyCred• But also check whether PUI and PUV are bound to the same xU
VerifyCred
VerifyCredOnNym
12
Authorisation
Use case: Car Rental using
I am BobBob owns a driver’s licenseZero-knowledge proof
I am Alex
Alex owns a driver’s license
13
Zero-knowledge proof: Ali-Baba
Peggy Victor
14
Zero-knowledge proof: Schnorr
CommitmentChoose r at random [0,p-1]Calculate R = gr mod p Challenge
Choose c = 0 or 1ResponseCalculate s = r + c x mod p-1 Verification
Check whethergs = gr gcx = R Xc mod p
R
c
s
X = gx mod pX, x X
P V
15
Proof of knowledge of commitment opening
X = gx hr mod nX, x, r X
CommitmentChoose r1, r2 at random [0,2Lr)Calculate R = gr1 hr2 mod n Challenge
Choose c at random [0,2Lc)Response
Calculate s1 = r1 + c x in Z s2 = r2 + c r in Z
VerificationCheck whetherRXc = gs1 hs2 mod n
R
c
s1,s2
P V
16
Zero-knowledge proofs for VerifyCred and VerifyCredOnNym
• VerifyCred
• VerifyCredOnNym
17
A complication: the smart card
• A smart card contains a micro processor• …but cannot be compared to a desktop pc!
• idemix uses heavy calculations:exponentiations with large numbers
• An example:
7013000258548773281133802936979029275099074080163480608318827013660038389437689460544053073329681466827545934060726847978297341102074276355801925688083211771943935266718197425726773408111960575720453978337676152347563715881277780861723460280649870108203093127958014879038780492417171168767551456133842819854
76152975134493896342316580079988669967664159646389215023630080838741997955792050706289259074782565561093737224996682680072825033231130971000565613558230979346118664186677897213109730811414004300898673243381813034322659709590300235658417873375122887185724692840829802563143700262103910200639706081203658025999
135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563
32395047257389933651665486724416025722572979703763044539188730413808452785341898771314904444469602336922226959799217892915638692602869771931032375134406804291168265137164720027740223721996018236503537923186072058477350438818347594952548224194423911032628667272843550471671496192090336051552058830620843966126
= mod 1253
5 125=≈ 60 ms ≈ 1,5 sec
18
Solution 1: Optimising the interval proofs
• Exact interval proofs (Boudot 2000) cost about 22 exponentiations per interval.
• We can use expanded interval proofs instead.
xU
secure master key interval
The Prover starts with X = gx hr mod n with x in [a,b]
The Verifier checks whether the response s1 (= r1 + cx) lies in the correct interval.Then he is convinced that x in [ a – m(b-a), b + m(b-a) ]
a b
a – m(b-a) b + m(b-a)
19
Solution 2: Distribution of computation load
• Untrusted terminal (pay terminal)• We may give no information to the terminal, because
pseudonyms and credentials are ‘linking information’
• Trusted terminal (phone, digital wallet)• Distribution of computation load• We can keep the user’s master key on the smart card
and give the pseudonyms and credentials to the terminal.
20
Solution 2: Distribution of computation load
21
Conclusions
• For security: integration of a smart card in idemix has to be done with a lot of care. (not mentioned earlier in this talk)
• No exact interval proofs are needed;use expanded interval proofs instead.
• With an untrusted terminal all user-side calculations has to be done on the smart card → VerifyCredOnNym takes +/- 17 seconds.
• With a trusted terminal the calculations can be distributed over the smart card and terminal → VerifyCredOnNym takes +/- 6 seconds.
• It is possible to integrate a smart card in idemix (in such manner that users do not have to wait too long)
22
More information…
• Website about this thesis: http://www.luukluuk.nl/idemix
23
Questions?
24www.luukluuk.nl/idemix
Thank you for your attention
25
Recommended