Pseudonym and Anonymous Credential Systems
Gihyuk Ko
Carnegie Mellon University
slides from Kyle Soska
Moving Past Encryption
โข Encryption DOES:โข Hide the contents of messages that are being communicated
โข Provide tools for authenticating messages
โข Encryption DOES NOT:โข Hide who is communicating with who
โข Hide an upper bound on how much they are communicating
โข Hide timing information or other aspects of the communication
Sensitive Information
Alice Employer
(Name, Birthday, SSN, Employee Review)
(Name, Birthdate, SSN, Patient File, โฆ)
(Name, Birthdate, SSN, Prescriptions, โฆ)
(Name, Birthdate, SSN, DNA Fingerprint, โฆ)
Hospital
Pharmacy
DNA ProfilingLaboratory
Information Sharing Concerns
(Alice, 1-1-1970, 123-45-6789, Patient File, โฆ)
SELECT * FROM patients WHEREName = โAliceโ and SSN = 123-45-6789
โข An employer and a hospital could share information to give the employer Aliceโs medical records
โข The employer could learn that Alice is going to have a baby soon or that she has some illness and choose to fire her
Sensitive Information
โข Problem: Alice uses her real identity (personally identifying information) to authenticate to different organizations
โข These organizations can collude and share data to learn a lot about Alice that she does not want them to know
โข Employer learns that she is going to have a baby
โข Insurance company learns that she has a genetic pre-disposition for cancer
โข Etc.
โข Question: How do we resolve this problem?
โข Idea: Donโt use real personal information to authenticate to these organizations
Sensitive Information
xXA1ic3Xx
(xXA1ic3Xx, Birthday, Employee Review)
(xXA1ic3Xx, Birthdate, Patient File, โฆ)
(xXA1ic3Xx, Birthdate, Prescriptions, โฆ)
(xXA1ic3Xx, Birthdate, DNA Fingerprint, โฆ)
Employer
Hospital
Pharmacy
DNA ProfilingLaboratory
Sensitive Information
โข Problem: Even if Alice uses a Nym not connected with her real identity, if she uses the same Nym with different organizations, then data-sharing attacks are still possible
โข Data sharing attacks are leverage the fact that Aliceโs Nyms are linkable, information associated with one of her Nyms can be linked to her other Nyms
โข Idea: Use a different Nym for each organization
Nym Linkability
ID DOB SSN
Alice 1-1-1970 123-45-6789
Bob 1-1-2000 111-11-1111
Charlie 12-31-1999 555-55-5555
David 7-7-1970 777-77-777
ID DOB SSN
April 4-20-1996 001-01-1101
Alyssa 1-1-1970 123-45-6789
Charlie 12-31-1999 555-55-5555
Don 8-8-1991 999-99-9999
Different name but same value for a unique field, and same birthday
employee-listpatient-list
Sensitive Information
{xXA1ic3Xx, aLiCe, yasuo_only, rengar_only}
(xXA1ic3Xx, Birthday, Employee Review)
(aLiCe, Birthdate, Patient File, โฆ)
(yasuo_only, Birthdate, Prescriptions, โฆ)
(rengar_only, Birthdate, DNA Fingerprint, โฆ)
Employer
Hospital
Pharmacy
DNA ProfilingLaboratory
Sensitive Information
โข Problem: What happens when different organizations do need to communicate?
โข Ex. Hospital needs to transfer prescriptions to pharmacy
โข We want selective information disclosure
โข Problem: Users can share identities with each other
โข Alice wants to share her medical insurance with all of her friends
How to share information?
{aLiCe, yasuo_only}
(aLiCe, Birthdate, Patient File, โฆ) (yasuo_only, Birthdate, Prescriptions, โฆ)
Prescription foraLiCe I donโt know who aLiCe is,
you are yasuo_only
If prescriptions written for aLiCe were able to be redeemed by yasuo_only, then Alice could sell her prescription to someone else, or her prescription could be stolen etc.
Hospital Pharmacy
Paradox of Information Sharing & Unlikability
โข Organization 1 and Organization 2 want to exchange important information about Alice
โข Ex. A Drug Prescription
โข The organizations need to make sure they are referring to the same person, (the identities are linkable)
โข The pharmacy needs to make sure that Alice is really the person that the prescription was written for
โข Aliceโs identities need to be unlinkable so that nothing but the allowed informationcan be shared
Cryptography To The Rescue
โข Alice will generate a single master key (public, private)
โข Alice will register her key pair with a trusted CA, her key pair will be her nym with the CA
โข Alice establishes a different nym with each organization such that her interactions with each organization are unlinkableโข Does not consider timing information or side channels
โข An organization can grant Alice a credential that attests to some property
โข Alice can convince another organization of some property by showing them a credential that was previously granted to Aliceโข This process is referred to as transferring a credential
Actors and Objects
โข ๐ช๐จ: Unique certification authority, trusted by all actors in the system
โข ๐ผ: A user (Possibly many users)
โข ๐ท๐ผ, ๐บ๐ผ: Master public key and secret key of ๐
โข ๐(๐, ๐): Set of nyms ๐ has generated with ๐
โข ๐(๐): Set of nyms ๐ has generated with anyone
โข ๐ถ: An organization (Possibly many organizations)
โข ๐ท๐ถ, ๐บ๐ถ: Master public key and secret key of ๐
โข ๐ท๐ถ๐ช , ๐บ๐ถ
๐ช : Public and secret key of ๐ for credential ๐ถ
โข ๐ต(๐ถ): Set of nyms ๐ has generated with any user
โข ๐๐,๐: User Uโฒs nym with organization ๐
โข ๐บ๐๐๐: Asymmetric key generation algorithm for generating master keypair
CA
๐1, ๐๐1,๐ถ๐ด ๐2, ๐๐2,๐ถ๐ด
๐, (๐๐, ๐๐)
1. Establish ๐๐,๐ถ๐ด
2. Establish ๐๐,๐13. Establish ๐๐,๐2
4. ๐ช๐ผ,๐ถ๐ 5. ๐ช๐ผ,๐ถ๐
System Overview
Organization 1 Organization 2
credential
Intuitive Goals
1. We want a system where users can create pseudonyms with different organizations, possibly multiple pseudonyms with the same organization
2. No set of organizations can collaborate to link pseudonyms of a user, an organization cannot link the multiple pseudonyms from the same user
3. A user can prove a statement from one organization to another organization using credential transfer
โข Ex. The hospital has granted a prescription for Alice to the pharmacy
4. No set of users or organizations can forge a credential
5. Users cannot share credentials with each other
โข A user cannot give their health insurance to a friend
Generating Userโs Master Key
โข User master key generation: User generates a master key pair derived from the computational discrete log problemโข ๐ = 2๐ + 1 for ๐, ๐ large ๐-bit prime numbers
โข ๐บ๐ = ๐๐ โค๐ = ๐ is the quadratic residue subgroup of โค๐ which has order ๐
โข Let ๐ โ ๐บ๐ be a public generator
โข User selects ๐ฅ โ๐ โค๐ and computes ๐๐ฅ ๐๐๐ ๐
โข Userโs Private Key: ๐ฅ
โข Userโs Public Key: ๐๐ฅ ๐๐๐ ๐
โข The user shares this public key with the CA. The CA checks that Alice is a real person and that she has not already registered an account with the system
๐1, ๐๐1,๐ถ๐ด ๐2, ๐๐2,๐ถ๐ด
๐๐ด, (๐๐,๐ด, ๐๐,๐ด)
1. Establish ๐๐,๐1 2. Establish ๐๐,๐2
3. ๐ช๐ผ๐จ,๐ถ๐ 5. ๐ช๐ผ๐จ,๐ถ๐
โข We want a scheme that lets Alice can โredeemโ ๐ถ๐๐ด,๐1, but not Bob
โข How can we achieve this? What is the difference between Alice and Bob?
๐๐ต , (๐๐,๐ต, ๐๐,๐ต)
6. ๐ช๐ผ๐จ,๐ถ๐
4. ๐ช๐ผ๐จ,๐ถ๐
Transferring Credentials
Transferring Credentials
โข ๐๐ด and ๐๐ต have different nyms at ๐1 and ๐2, namely ๐๐๐ด,๐1 โ ๐๐๐ต,๐2, ๐๐๐ด,๐2 โ ๐๐๐ต,๐2โข What if the credential ๐ถ๐๐ด,๐1 carries information about ๐๐๐ด,๐1?
โข What if the credential ๐ถ๐๐ด,๐1 carries information about ๐๐๐ด,๐2?
โข Credentials are supposed to be unlinkable, so tying the credential to the userโs nyms is not good!
โข ๐๐,๐ด, ๐๐,๐ด โ ๐๐,๐ต, ๐๐,๐ตโข What if the credential ๐ถ๐๐ด,๐1 carries information about ๐๐,๐ด?
โข What if the credential ๐ถ๐๐ด,๐1 carries information about ๐๐,๐ด?
โข Secret keys must be kept secret and public keys can be forged by anyone since they are public!
Userโs Master Key
โข All of the actions that a user performs are somehow tied to their master secret key
โข A userโs nym with the CA is their public key
โข A userโs nyms with other organizations are derived from their master secret key
โข Transferring a credential requires computations with the master secret key
โข Corollary: sharing a credential requires sharing the master secret key which is sufficient for identity theft
Generating Nyms
โข Secure interactive protocol between two parties ๐: ๐๐ , ๐๐ , ๐: ๐๐, ๐๐
โข Public Input: ๐๐, the public key of the organization
โข Userโs Private Input: ๐๐ , ๐๐
โข Organizationโs Private Input: ๐๐
โข Common Output: ๐๐,๐
โข Private User Output: ๐๐ผ๐,๐๐
โข Private Organization Output: ๐๐ผ๐,๐๐
๐๐, ๐๐๐๐, ๐๐ , ๐๐
I want to generate a nym with you
Interactive nym generation protocol
๐๐, ๐๐ , ๐๐, ๐บ๐ฐ๐ผ,๐ถ๐ผ , ๐ต๐ผ,๐ถ ๐๐, ๐๐ , ๐๐, ๐บ๐ฐ๐ต,๐ถ
๐ถ , ๐ต๐ผ,๐ถ
Generating Nyms
Zero Knowledge Proofs
โข Interactive protocol between a prover ๐ and a verifier ๐
โข ๐ wants to prove to ๐ that he knows something, but without revealing any information other than that โhe knows somethingโ
โข Soundness: ๐ cannot prove false statements to the ๐
โข Completeness: Proofs of true statements by ๐ will be accepted by ๐
โข Zero Knowledge: ๐ will not learn anything other than the truth of the statement being proven
ZK Proof Example
โข Alice (the prover ๐) wants to prove to Bob (the verifier ๐) that she knows how to unlock the door
โข If she let him watch her open the door, it would convince him that she knows how, but he might learn something about how she does it
โข Instead they devise the following game to convince Bob that Alice knows how to unlock the door
โข Start with a locked door
ZK Proof Example
โข Bob goes and hides and lets Alice pick one of the hallways to walk down
โข Alice flips a coin and picks either left or right to walk down
โข Heads = Leftโข Tails = Right
ZK Proof Example
โข Bob flips a coinโข Heads = Leftโข Tails = Right
โข Bob then yells down the hallway and demands that Alice appear from that side
โข If Alice is already on the same side she simply walks out
ZK Proof Example
โข Bob flips a coinโข Heads = Leftโข Tails = Right
โข Bob then yells down the hallway and demands that Alice appear from that side
โข If Alice is already on the same side she simply walks out
โข If Alice is on the wrong side she needs to unlock the door
ZK Proof Example
โข Is this sound? Can Alice prove false statements to Bob?
โข Is this complete? Will Bob always accept true statements?
โข Is this zero-knowledge? Does Bob learn anything other than the truth about whether or not Alice can unlock the door?
ZK Proof Example
โข Can Bob convince Charlie that Alice knows how to unlock the door?
โข If the proof fails, if Alice comes out from the wrong side, does this prove that Alice does not know how to unlock the door?
What does Zero Knowledge mean?
โข What does it mean to say that ๐ does not learn any knowledge other than the truth of the statement being proven?โข What is knowledge? โ Hard question, will not attempt to answer
โข What does it mean to say that ๐ gained no knowledge?
โข What does it mean to say that ๐ gained no knowledge?โข ๐ after executing the protocol cannot do anything that ๐ฝ cannot already do
โข in particular ๐โฒ๐ ability to compute statements
โข Even the protocol generated by the proof interactions between ๐ and ๐ could have been generated by ๐
โข To prove that ๐ gained no knowledge from the interaction, we construct an algorithm called a โsimulatorโ where ๐ generates a transcript of the protocol that is indistinguishable from a real interaction with ๐
ZKP of Equality of Discrete Logarithm
โข ๐: Prover
โข ๐: Verifier
โข Common Input: ๐, ๐โฒ โ๐ โค๐ ร โค๐ generators, โ, โโฒ โ โค๐ ร โค๐
โข ๐ wants to convince ๐ that it knows an ๐ฅ โ โค๐ s. t. โ = ๐๐ฅ, โโฒ = ๐โฒ๐ฅ
โข ๐ does not want ๐ to learn the value of ๐ฅ or otherwise be able to compute it any easier because of their interaction
โข We will use an interactive zero-knowledge protocol to prove this statement
ZKP of Equality of Discrete Logarithm
๐ โ ๐: Choose ๐ โ๐ โค๐, Send ๐ด = ๐๐, ๐ต = ๐โฒ๐
๐ โ ๐: Choose ๐ โ๐ โค๐, Send (๐)
๐ โ ๐: Send (๐ฆ = ๐ + ๐๐ฅ ๐๐๐ ๐)
๐: Check that ๐๐ฆ = ๐ดโ๐ and ๐โฒ๐ฆ = ๐ตโโฒ๐
Check:๐๐ฆ = ๐๐+๐๐ฅ = ๐๐๐๐๐ฅ = ๐ด๐๐๐ฅ = ๐ดโ๐
๐โฒ๐ฆ = ๐โฒ๐+๐๐ฅ = ๐โฒ๐๐โฒ๐๐ฅ = ๐ต๐โฒ๐๐ฅ = ๐ตโโฒ๐
โข Is this sound?
โข Is this complete?
โข Is this zero-knowledge?
โข If the prover showed this protocol to the verifier a few days later, would the verifier recognize it?
โข Produce a โblindedโ version of the protocol where it will not be recognized.
โข Transcripts: {(A,B), (c), (y)}
โข Can someone get any information on x from this?
๐๐, ๐๐๐๐, ๐๐ , ๐๐
I want to generate a nym with you
Interactive nym generation protocol
๐๐, ๐๐ , ๐๐, ๐บ๐ฐ๐ผ,๐ถ๐ผ , ๐ต๐ผ,๐ถ ๐๐, ๐๐ , ๐๐, ๐บ๐ฐ๐ต,๐ถ
๐ถ , ๐ต๐ผ,๐ถ
Generating Nyms
Nym Generation Protocol
โข ๐: ๐๐ , ๐๐ , ๐๐ = ๐๐ฅ, ๐ฅ , ๐๐ฆ
โข ๐: ๐๐, ๐๐ = (๐๐ฆ , ๐ฆ)
๐: Choose ๐พ โ๐ โค๐, Set ๐โฒ = ๐๐พ , ๐โฒ = ๐โฒ๐ฅ
๐ โ ๐: Send ๐โฒ, ๐โฒ
๐: Choose ๐ โ๐ โค๐, Set ๐ = ๐โฒ๐
๐ โ ๐: Send ๐
๐: Compute ๐ = ๐๐ฅ
๐ โโ ๐: Execute ฮ to show that log๐ ๐ = ๐๐๐๐โฒ ๐โฒ
๐, ๐: Remember ๐โฒ๐ nym as ๐ = ๐, ๐
Issuing Credential
โข ๐: ๐๐, ๐๐ , ๐๐ = ๐๐ฅ, ๐ฅ , ๐๐ฆ, ๐๐,๐ = ๐, ๐ = ๐๐ฅ = ๐๐พ๐ , ๐๐พ๐๐ฅ
โข ๐: ๐๐, ๐๐ = ๐๐ฆ, ๐ฆ , ๐๐,๐ = (๐, ๐)
โข Public Credential Key: ๐, โ1, = ๐๐ 1 , โ2 = ๐๐ 2 , Secret Credential Key: ๐ 1, ๐ 2
๐ โ ๐: Send ๐ด = ๐๐ 2 , ๐ต = ๐๐๐ 2 ๐ 1
๐: Choose ๐พ โ๐ โค๐
๐ โโ ๐: Run ฮ to show log๐ ๐ด = log๐ โ2 with verifier input ๐พ, Obtain transcript ๐1
๐ โโ ๐: Run ฮ to show log(๐,๐ด) ๐ต = log๐ โ1 with verifier input ๐พ, Obtain transcript ๐2
๐: Remember credential ๐ถ๐,๐ = (๐๐พ , ๐๐พ, ๐ด๐พ, ๐ต๐พ , ๐1, ๐2)
Transferring Credential
โข ๐โฒ๐ public credential keys: ๐, โ1 = ๐๐ 1 , โ2 = ๐๐ 2
โข ๐โฒ๐ nym with ๐โฒ: (๐โฒโฒ, ๐โฒโฒ) where ๐โฒโฒ = ๐โฒโฒ๐ฅ
โข Userโs credential from ๐: ๐ถ๐,๐ = ๐โฒ, ๐โฒ, ๐ดโฒ, ๐ตโฒ, ๐1, ๐2
๐โฒ: Verify correctness of ๐1 and ๐2 as transcripts for ฮ ๐๐ผ
by showing log๐โฒ ๐ดโฒ = log๐ โ2 and log๐โฒ๐ดโฒ ๐ต
โฒ = log๐ โ1
๐ โโ ๐โฒ: Execute protocol ฮ to show log๐โฒ ๐โฒ = log๐ ๐
Single-Use / Multiple-Use Credentials
โข Single-Use Credential: May safely be used once, but if used more than once, it would allow the userโs nyms to be linked together
โข Multiple-Use Credential: May safely be used unlimited times without allowing the userโs nyms to be linked
โข K-Use Credentials?โข Can you create a credential that can be used a finite number of times before being able to link
together a userโs nyms?
โข Yes, but its hard and very complicated
Expiration Date
โข Add a date field into the non-interactive proof protocol such that the verifier only accepts if the current date is less than the expiration date
โข Also needs to add corresponding fields into the credential and the corresponding machinery when verifying the credential
Revocation of Credential
โข This is going to require a trusted third party like CA
โข Revocations would have to be input with the CA
โข When a credential is used, before it is verified, the organization will check with the CA to see if the credential has been revoked
Are there other problems here?
{aLiCe, yasuo_only}
(aLiCe, Birthdate, Patient File, โฆ) (yasuo_only, Birthdate, Prescriptions, โฆ)
Prescription foraLiCe I donโt know who aLiCe is,
you are yasuo_only
Credentials for a Review System?
{aLiCe} {b0B}
Interactive Point of Sale
Leave a ReviewQuery Reviews
Thanks!