Authentication without Identification. Jan Camenisch IBM Research - Zurich IBM Corporation

Transcription

1 Authentication without Identification Jan Camenisch IBM Research - Zurich

2 Facts We all increasingly conduct our daily tasks electronically...are becoming increasingly vulnerable to cybercrimes 2

3 Facts 33% of cyber crimes, including identity theft, take less time than to make a cup of tea. 3

4 Facts 10 Years ago, your identity information on the black market was worth $150. Today. 4

5 Facts $4'500'000'000 cost of identity theft worldwide 5

6 Houston, we have a problem! ﾩ 6

7 Houston, we have a problem! ﾩ Buzz Aldrin's footprints are still up there (Robin Wilton) 7

8 Computers don't forget % Apps built to use & generate (too much) data % Data is stored by default % Data mining gets ever better % New (ways of) businesses using personal data % Humans forget most things too quickly % Paper collects dust in drawers 8

9 Where's all my data? The ways of data are hard to understand % Devices, operating systems, & apps are getting more complex and intertwined Mashups, Ad networks Machines virtual and realtime configured Not visible to users, and experts Data processing changes constantly No control over data and far too easy to loose them 9

10 You have no privacy, get over it...?!? % Huge security problem! Millions of hacked passwords (100'000 followers $ ) Stolen credit card number ($5-2013) Stolen identity ($ , $ , $5 2013) Lots of not reported issues (industrial espionage, etc) % Difficult to put figures down Credit card fraud Spam & marketing Manipulating stock ratings, etc.. % We know secret services can do it easily, but they are not the only ones this is not about homeland security and there are limits to the degree of protection that one can achieve % end we have not event discussed social issues such as democracy etc % last but not least: data are the new money, so need to be protected 10

11 What can we do? % Most of the technology is there (but we have to use it) % Most of the legislation is there (but we have to enforce it) % Public awareness is growing (but we have to feed it) Privacy by Design! 11

12 of course there are limits... % tracing is so easy each piece of hardware is quite unique log files everywhere %. but that's not the point! it's not about NSA et al. active vs passive adversaries so, still, privacy 12 by design!

13 The real problem Applications are designed with the sandy beach in mind but are then built on the moon. Feature creep, security comes last, if at all Everyone can do apps and sell them Networks and systems hard not (well) protected 13

14 Security & Privacy is not a lost cause! We need paradigm shift & build stuff for the moon rather than the sandy beach! 14

15 Security & Privacy is not a lost cause! That means: % Reveal only minimal data necessary % Encrypt every bit % Attach usage policies to each bit Cryptography can do that! 15

16 Business Case for Privacy % Business case always depends on specific example % The bad news: data is money so every one wants it Big data, sensors, etc. Marketing % No data is easier to protect than lots of data e.g., losing credit card number % Privacy is part of security identity theft getting access to and manipulating systems, etc. % Laws are an important driver like many other technical areas, cf. cars 16

17 Privacy by Communication layer TOR, JAP, Authentication layer privacy-preserving attribute-based Application layer evoting, epolls,... all apps should be done as privacy by design 17

18 Cryptography at the network layer Anonymous communication e.g., mix networks, onion routing (TOR), DC-nets Bandwidth suffers Physical layer notoriously hard to protect 18

19 Privacy at the Authentication Layer Privacy Friendly Identity Management 19

20 What is an identity? work language skills marital status phone number public authority salary name credit card number address birth date hobbies shopping insurance blood group nick name leisure 20 health status health care

21 Identities Identity Management ID: set of attributes shared w/ someone attributes are not static: user & party can add ID Management: two things to make ID useful authentication means means to transport attributes between parties Control attributes with policies: define requested data define allowed usage (audience) Privacy by design minimal amount of data Privacy-preserving attribute-based credentials 21

22 Identities Authentication and attribute transfer 22

23 Alice wants to watch a movie at Movie Streaming Service I wish to see Alice in Wonderland Alice Movie Streaming Service 23

24 Alice wants to watch a movie at Movie Streaming Service You need: - subscription - be older than 12 Alice Movie Streaming Service 24

25 Watching the movie with the traditional solution Using digital equivalent of paper world, e.g., with X.509 Certificates ok, here's - my eid - my subscription Alice Movie Streaming Service 25

26 Watching the movie with the traditional solution...with X.509 Certificates Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 26

27 Watching the movie with the traditional solution This is a privacy and security problem! - identity theft - discrimination - profiling, possibly in connection with other services Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 27

28 Authentication Traditional approach ID Management: make ID useful ID comes w/ authentication means % Alice has public and private key % Can use cryptographic identification protocols to authenticate as owner Transport of attributes % Certificate issued by one party, certificate contains attributes % Certificate is verified by other party w.r.t. Issuing party's public key (public verification key) Is really just paper world made electronic! 28

29 Authentication Offline Solution credential / certificate $ signed list of attribute-value pairs Name = Alice Doe Birth date = 1997/01/26 Public key = 98a9d8ac signed by the issuer 29

30 Authentication Offline Solution With traditional PKI, e.g., X.509 v3 certificates Privacy: Privacy: -- have have to to disclose disclose all all attributes attributes in in certificate certificate t s eunique -- public identifier u public key keyras as unique identifier q e,, r 1. c ial t n ede 2. 6 e Do /01/2 e c 3 i l 7 = A = 19 e e namh dat t r i b = pk Security: Security: -- verifier's verifier's collection collection of of attributes attributes -- target target for for identity identity thieves thieves 3. access request 4. over 18? name = Alice Doe, birth date = 1973/01/26, pk =

31 Authentication Offline Solution With traditional PKI, e.g., X.509 v3 certificates Using a certificate again name = Alice Doe, birth date = 1997/01/26, pk = name = Alice Doe, birth date = 1997/01/26, Pk = linkable linkable when when used used multiple multiple times times -- certificate certificate links links -- public public key key links links 31

32 Watching the movie with the traditional solution With OpenID (similar protocols), e.g., log-in with Facebook Alice Movie Streaming Service 32

33 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Alice Movie Streaming Service 33

34 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Aha, you are - Alice@facebook.com Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 34

35 Authentication Online Solution e.g., SAML, WS-Federation, OpenID, Facebook Connect Privacy: Privacy: issuer issuer knows knows who who visits visits which which website website at at which which time time? by (often (often from from own own records, records,rifif18not not by correlating correlating logs logs with with website) website) ve o. 3 tio a c i ent h t u 4. a 18 r e ov 5. n Security: Security: issuance issuance key key online online 24/7 24/7 1. access request 2. over 18? 6. over 18 35

36 Private Credentials (aka Anonymous Credentials aka Privacy-ABCs) best of both worlds Privacy: unlinkable transactions minimal information disclosure Security: offline issuer Examples include IBM Identity Mixer and Microsoft U-Prove 36

37 Privacy-protecting authentication with Privacy ABCs Users' Keys: % One secret Identity (secret key) % Many Public Pseudonyms (public keys) Concept: - Key binding - Pseudonyms (and domain pseudonyms) use a different identity for each communication partner or even transaction 37

38 Pseudonym Two kinds of pseudonyms $ Regular $ Scope exclusive (also called domain pseudonym) Specification of pseudonym very generic, still: $ Scope: String $ Exclusive: Boolean $ PseudonymValue: AnyValue For regular pseudonym, scope is non-binding description <abc:pseudonym Scope= xs:string? Exclusive= xs:boolean?> <abc:pseudonymvalue>...</abc:pseudonymvalue> </abc:pseudonym> 38

39 Privacy-protecting authentication with Privacy ABCs Certified attributes from Identity provider % Issuing a credential Name = Alice Doe Birth date = April 3, 1997 Concept: - Credentials 39

40 Credential Credential Specification Specification ID: URN NumberOfAttributes: INT List of Attributes, each consisting of: Type: URN first name DataType: URN string Encoding: URN sha256 KeyBinding true Revocation false Credentials is essentially the same extended with: Each attribute consists additionally Value: DataType Crypto Value: 40 AnyValue (according to alg.; digital signature)

41 Example of Credential Specification 41

42 Privacy-protecting authentication with Privacy ABCs Certified attributes from purchasing department % Issuing a credential 42

43 Privacy-protecting authentication with Privacy ABCs Concept: - Presentation policy I wish to see Alice in Wonderland You need: - subscription - be older than 12 43

44 Presentation policy Presentation policy: which attributes certified by whom a verifier requires to grant access % Credential Alias = String Driver's License Possible Credentials: {Credential Spec} Possible Issuers: {IssuerParameters} {Disclosed Attributes: AttributeType} Possible Inspectors: {InspectorPublicKey} Inspection Grounds SameKeyBindingAs: String % AttributePredicate Function: definedfunctions Attribute: CredentialAlias, AttributeType ConstantValue: AnyValue %44 Message: String Credential Alias DateGreaterThan

45 Presentation policy reveal civic number from school credential User Verifier presentation policy presentation token 45

46 Privacy-protecting authentication with Privacy ABCs Proving identity claims % but does not send credentials % only minimal disclosure - valid subscription - eid with age 12 Concept: - Presentation token 46

47 Privacy-protecting authentication with Privacy ABCs Proving identity claims % but does not send credential % only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 - have a subscription Transaction is not linkable to any other of Alice's transactions! 47

48 Proving Identity Claims: Minimal Disclosure 48 Alice Doe Age: 12+ Hauptstr 7, Zurich CH single Exp. Valid ve r ID ified ve r ID ified Alice Doe Dec 12, 1998 Hauptstr. 7, Zurich CH single Exp. Aug 4, 2018

49 Key Binding & Credentials % All (key bound) credentials are bound to same secret key % For presentation, different credentials can be combined, correct combination is assured by key binding 49

50 All transaction are unlinkeable by default! Presentation tokens and pseudonyms are unlinkable! 50

51 Recall Concepts and Terms (Issuer parameter) Credential specification Pseudonym Credential 12 < age? Presentation token Presentation policy (Verifier parameter) 51

52 Summary of Properties % Protection of user's privacy unlinkability (multi-use) using/combining multiple credentials selective disclosure predicated over attributes % Strong authentication unforgeability of presentation tokens Wrong statements Possession of credentials not owned Combination of credentials from different users 52

53 Private credentials vs. classical ones each issuer has public key of signature scheme each user has a single secret key but many public keys certificate = signature on user's secret key + attributes each user has a single public key certificate = signature on user's public key + attributes attributes might be hidden from issuer prove knowledge of certificate reveal certificate - prove that different certificates contain same secret key - selectively reveal attributes 53

54 Try Identity Mixer for yourself Try yourself: Build your app: Source code: Info: 54 idemixdemo.mybluemix.net github.com/ibm-bluemix/idemix-issuer-verifier github.com/github.com/p2abcengine/p2abcengine ibm.biz/identity_mixer

55 User Verifier: architectural view [abc4trust.eu] Available on github.com/p2abcengine & abc4trust.eu/idemix 55

56 IBM's Privacy ABCs: Identity Mixer % Scientific foundation laid 15 years ago, well studied & award winning % Successful real-world pilots in series of EU projects % You can have identity mixer, too! Open-source implementation: Idemix-as-a-Service on IBM Bluemix Web-based demo to try for everyone Coming soon: Idemix on mobile 56 May 4, Infosecurity Denmark

57 There is more Here's just a few examples 57

58 Concept: Inspection Inspector parameters TTP Inspection grounds If car is broken: ID with insurance needs be retrieved Can verifiably encrypt any certified attribute (optional) TTP is off-line & can be distributed to lessen trust 58

59 Concept: Revocation Revocation authority parameters Revocation info If Alice was speeding, license needs to be revoked! There are many different use cases and many solutions Variants of CRL work (using crypto to maintain anonymity) Accumulators Signing entries & Proof,... Limited validity certs need to be updated... For proving age, a revoked driver's license still works 59

60 Concept: Key-Binding & Usage Control World of Warcraft Limits of anonymity possible (optional): If Alice and Eve are on-line together they are caught! Use Limitation anonymous until: If Alice used certs > 100 times total or > 10'000 times with Bob Alice's cert can be bound to hardware token (e.g., TPM) 60

61 Some Use Cases

62 Age verification Proving 12+, 18+, 21+ without disclosing the exact date of birth privacy and compliance with age-related legislation % Movie streaming services % Gaming industry % Online gambling platforms % Dating websites % Social benefits for young/old people 62

63 Use Case: Anonymous Authentication Use certificate anonymously 63

64 Use Case: Anonymous Authentication Use certificate anonymously Server shall be unable to tell whether or not it is the same user??? 64

65 Use Case: Anonymous Access to a Database DNA Database Simple case: DB learns not who accesses DB Better: Oblivious Access to Database (OT with AC) Server must not learn who accesses which record Still, Alice can access only records she is authorized for 65

66 Subscriptions, membership Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.) % Patent databases % DNA databases % News/Journals/Magazines % Transportation: tickets, toll roads % Loyalty programs??? 66

67 Healthcare Use Case Anonymous consultations with specialists online chat with at physician / online consultation with IBM Watson to check eligibility Alice gets a health insurance credential Insurance 1. Alice proves she has insurance 2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment Health portal 4. Alice gets treatment from physician, hospital, etc 67 Insurance 5. Alice sends bill to insurance and proves that she had gotten the necessary permission for the treatment.

68 Payment Use Case withdrawal bank deposits money payment merchant % Credential = Bank note % Double spending need to be prevented/detected On-line or Off-line modi possible % Money laundering can also be taken care of 68

69 Securing Credit Card Payments The credit card data is never revealed to the merchant, only to the credit card provider % % % % % Bank issues a classic credit card User registers at a special portal to obtain the Identity Mixer credential User derives a token allowing that store to withdraw the money Users cannot be linked across purchases/shops Stored credit card info useless to hackers! Expiration 08/2015 Transfer $862 to expedia.com Expiration 08/2015 Allow amazon.com up to $300/week Number Expiration 08/2015 Expiration 08/2015 Allow amazon.com up to $300/week Purchase of $15.50 clearing house 69 Expiration 08/2015 Transfer $862 to expedia.com Purchase of $862

70 Polls, recommendation platforms Providing anonymous, but at the same time legitimate feedback % Online polls applying different restrictions on the poll participants: location, citizenship % Rating and feedback platforms anonymous feedback for a course only from the students who attended it wikis recommendation platforms 70

71 Use Case Polling: Scenario and Requirements Scenario: % Pollster(s) and a number of users % Only registered user (e.g., students who took a course) can voice opinion (e.g., course evaluation) % User can voice opinion only once (subsequent attempts are dropped) % Users want to be anonymous % In different polls user must not linkable 71

72 Use Case Polling Solution: Registration % User generates pseudonym (ID for registration) % User obtains credential on pseudonym stating that she is eligible for polls % Credential can contain attributes (e.g., course ID) about her 72

73 Use Case Polling Solution: Submit Poll 1. User generates domain pseudonym, domain = pollid 2. User transforms credential 3. Transformed credential with a subset of the attributes User is anonymous and unlinkable Multiple opinions are detected because uniqueness of domain pseudonym 73

74 Implementation of concepts 74

75 Cryptographic Realization of Private Credentials Efficient realization requires special algorithms % Commitment scheme for pseudonyms One secret key, many public keys % Signature scheme for credentials Normal signature schemes would be inefficient Needs to allow for Signing attributes separately Efficient transformation into presentation token % Zero-knowledge proofs of knowledge for inspection Needs to be compatible with signature and commitment scheme % Verifiable encryption scheme for inspection Needs to be compatible with other schemes % Certificate revocation lists won't work special schemes 75

76 Excursus: Number Theory A set G with operation is called a group if: closure for all a,b, in G a b in G associativity for all a,b,c, in G (a b) c = a (b c) identity there exist some e in G, s.t. for all a: a e = a invertibility for all a in G, there exist a-1 in G: a a-1 = e Most used in cryptography: multiplication of integers mod p (with p prime) 76

77 Excursus: Number Theory Discrete Logarithm exponentiation = repeated application of, e.g., a3 = a a a given g, x it is easy to compute gx, g1/x,... given gx,gy it is easy to compute gx gy = gx+y Discrete Log Assumption given gx it is hard to compute x Diffie-Hellman Assumption given gx and gy it is hard to compute gxy Decisional Diffie-Hellman Assumption given gx, gy, and gz it is hard to decide if gz = gxy 77

78 zero-knowledge proofs 78

79 Zero-Knowledge Proofs % interactive proof between a prover and a verifier about the prover's knowledge Commitment Challenge Response % properties: zero-knowledge verifier learns nothing about the prover's secret proof of knowledge (soundness) prover can convince verifier only if she knows the secret completeness if prover knows the secret she can always convince the verifier 79

80 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Given group <g> and element y Є <g>. Prover wants to convince verifier that she knows x s.t. y = gx such that verifier only learns y and g. x Prover: random r t := gr t c s := r - cx y, g Verifier: s random c t = gs yc? notation: PK{(α): y = gα } 80

81 From Protocols To Signatures Signature SPK{(α): y = gα }(m): Signing a message m: - chose random r Є Zq and - compute - output c := H(gr m) = H(t m) s := r - cx mod (q) (c,s) Verifying a signature (c,s) on a message m: - check c = H(gs yc m)? t = gs yc? Security: - underlying protocol is zero-knowledge proof of knowledge - hash function H(.) behaves as a random oracle. 81

82 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): PK{(α): y = gα }(m) Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = g α z=g β β α u=g h } PK{(α,β): y = gα z = gβ } Intervals and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } 82

83 commitment scheme 83

84 Commitment Scheme: Functionality m m m, ? mє m

85 Commitment Scheme: Security Binding m, m', ? m є m? m' є m

86 Commitment Scheme: Security Binding m, m', ? m є m? m' є m

87 Commitment Scheme: Security Hiding: for all message m, m' m m' 87 m m'

88 Commitment Scheme: Security Hiding: for all message m, m' m m' 88 m m'? m m' m m'

89 Commitment Schemes Group G = <g> = <h> of order q To commit to element x Є Zq: Pedersen: perfectly hiding, computationally binding choose r Є Zq and compute c = gxhr ElGamal: computationally hiding, perfectly binding: choose r Є Zq and compute c = (gxhr, gr) To open commitment: reveal x and r to verifier verifier checks if c = gxhr 89

90 Commitment Scheme: Extended Features Proof of Knowledge of Contents m Proof m true Proof of Relations among Contents m, m' Proof m = 2 m' 90 m m' true

91 Commitment Scheme: Extended Features Let C1 = gmhr and C' = gm'hr then: m Proof m true PK{(α,β): C = gβhα } m, m' Proof m = 2 m' PK{(α,β,γ): 91 m m' true C' = gβhα C = (g2)βhγ }

92 signature schemes 92

93 Signature Scheme: Functionality Key Generation 93

94 Signature Scheme: Functionality Signing (m1,..., mk) σ = sig((m1,..., mk), ) 94

95 Signature Scheme: Functionality Verification (m1,..., mk) σ σ = sig((m1,..., mk), ) ver(σ,(m1,..., mk), ) = true 95

96 Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 96 σ1

97 Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 ml 97 σ1 σl

98 Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 ml σ1 σl σ' and m' mi s.t. ver(σ', m', 98 ) = true

99 Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 ml σ1 σl σ' and m' mi s.t. ver(σ', m', 99 ) = true

100 signature schemes with protocols 100

101 Signature Scheme: Signing Hidden Messages ( m1 m,..., m m,jmj+1,..., mk) σ ver(σ,(m1,..., mk), ) = true σ = sig((( m1 mj, mj+1,..., mk), ) m,..., m Verification remains unchanged! Security requirements basically the same, but Signer should not learn any information about m1,..., mj Forgery w.r.t. message clear parts and opening of commitments 101

102 Proving Possession of a Signature σ on (m1,..., mk) 102

103 Proving Possession of a Signature σ on (m1,..., mk) {mi i є S} 103

104 Proving Possession of a Signature σ on (m1,..., mk) {mi i є S} σ, {mi i є/ S} {mi i є S}, Proof protocol true Variation: Send also mi to verifier and Prove that committed messages are signed Prove properties about hidden/committed m i 104

105 Blind Signatures vs Signatures with Protocols can be used multiple times 105 can be used only once Damgaard,Camenisch&Lysyanskaya Chaum, Brands, et al. Strong RSA, DL-ECC,.. Discrete Logs, RSA,..

106 Some signature schemes 106

107 RSA Signature Scheme For Reference Rivest, Shamir, and Adlemann 1978 Secret Key: two random primes p and q Public Key: n := pq, prime e, and collision-free hash function H: {0,1}* -> {0,1}ℓ Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1) s := H(m) d mod n Verification of signature s on a message m Є {0,1}* se = H(m) Correctness: se = (H(m)d)e = H(m)d e = H(m) 107 (mod n) (mod n)

108 RSA Signature Scheme for reference Verification signature on a message m Є {0,1}* e s := H(m) (mod n) Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) } But this is not a valid proof expression!!!! :-( 108

109 CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n k signature is (c,e,s)

110 CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a m a mk k bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 110

111 Sign blindly with CL signatures ( m1 m,..., m m,jmj+1,..., mk) σ σ = sig((( m1 mj, mj+1,..., mk), ) m,..., m C=a m1 a 1 m2 2 bs m2 m1 C + PK{(m1,m2,s ): C = a1 a2 s b } Choose e,s (c,e,s ) e d= c a 111 m1 1 a 2 m2 a m3 3 b s +s c = (d/(c a m3 3 bs ))1/e mod n mod n

112 Proving Knowledge of a CL-signature d = ce a1m1a2m2 bs mod n Recall: Observe: % Let c' = c btmod n with randomly chosen t % Then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1 % provide c' % PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } proves d := c'ε a1µ1 a2m2b σ 112

113 Solving a Use-Case: Polling 113

114 Polling: Scenario and Requirements Scenario: % Pollster(s) and a number of users % Only registered user (e.g., students who took a course) can voice opinion (e.g., course evaluation) % User can voice opinion only once (subsequent attempts are dropped) % Users want to be anonymous % A user's opinion in different polls not linkable 114

115 Polling Solution: Registration (n,a1,a2,b,d) % User generates pseudonym (ID for registration) % User obtains credential on pseudonym stating that she is eligible for polls, i.e., (c,e,s) d = ce a sk 1 a 2 name bs (mod n) % Credential can contain attributes (e.g., course ID) about her 115

116 Polling Solution: Submit Poll 1. User generates domain pseudonym, domain = pollid 2. User transforms credential 3. Transformed credential with a subset of the attributes % User is anonymous and unlinkable % Multiple casts are detected because uniqueness of domain pseudonym 116

117 Polling Solution: Polling 1. Domain pseudonym: P = gdsk = H(pollID)sk Ensures privacy: P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble (under the Decisional Diffie-Hellman assumption) 2. User transforms credential: c' = c bs'mod n with randomly chosen s' SPK{(ε, µ1, µ2,σ) : P = gdµ1 d := c'ε a1µ1 a2µ2b σ (mod n) µ1, µ2 Є {0,1}ℓ ε > 2ℓ+1 }(opinion) 117

118 Realizing On-Line ecash 118

119 ecash scenario & requirements Bank Withdrawal Deposit User Spend Merchant Requirements Anonymity: Withdrawal and Deposit must be unlinkable No Double Spending: Coin is bit-strings, can be spend twice 119

120 Towards a Solution: do it like paper money Bank Withdrawal 100 User Deposit Spend Merchant % Sign notes with digital signature scheme Note = (serial number #, value) Secure because signature scheme can not be forged bank will accepts some serial number only once on-line e-cash Not anonymous because (cf. paper solution) bit-string of signature is unique serial number is unique 120

121 Towards a Solution Bank Withdrawal User Deposit Spend Merchant % Use (more) cryptography Hide serial number from bank when issuing e.g., sign commitment of serial number Reveal serial number and proof knowledge of signature on commitment to serial number Anonymous because of commitments scheme and zero-knowledge proof 121

122 E-Cash 122

123 Recall basic idea Bank Withdrawal User Deposit Spend Merchant % Issue coin: Hide serial number from bank when issuing sign commitment of random serial number % Spend coin: reveal serial number and proof knowledge of signature on commitment to serial number 123

124 On-line E-cash: Withdrawal Choose e,s c = (d/(c bs ))1/e mod n choose random #, s' and compute C=a 1 # bs' p + C of o r ) s, e (c, (c,e,s +s') s.t. d = ce a # bs + s' (mod n)

125 On-line E-cash: Payment (c,e,s +s') s.t. e d= c a 1 # b s + s' (mod n) compute s' c' = c b mod n #, c', pro of proof = PK{(ε, µ, ρ, σ) : 125 d/a # 1 = c'ε b σ (mod n) }

126 On-line E-cash: Payment (c,e,s +s') s.t. 1 # b s + s' (mod n) compute s' c' = c b mod n #, c', pro of proof = PK{(ε, µ, ρ, σ) : 126 d/a # 1 #, c', proof e d= c a # Є L? OK/ not OK = c'ε b σ (mod n) }

127 Security % Anonymity Bank does not learn # during withdrawal Bank & Shop do not learn c, e when spending (c ) s,,e #, c', pro of 127 #, c', proof C of o r p + # Є L? OK/ not OK

128 Security Double Spending: % Spending = Compute c' = c bs'mod n proof = PK{(ε, µ, ρ, σ) : d/a # 1 = c'ε b σ (mod n) } % Can use the same # only once... If more #'s are presented than withdrawals: Proofs would not sound Signature scheme would not secure 128

129 Realizing Off-Line ecash 129

130 Recall On-Line E-Cash On-Line Solution: 1. Coin = random serial # (chosen by user) signed by Bank 2. Banks signs blindly 3. Spending by sending # and prove knowledge of signature to Merchant 4. Merchant checks validy w/ Bank Bank accepts each serial # only once Off-Line: - Can check serial # only after the fact - but at that point user will have been disappeared

131 Towards off-line signatures Goal: spending coin once: OK spending coin twice: anonymity is revoked kabl n i L t No 100 No t Lin ka b Link abl e 100 e le 100 Seems like a paradox, but crypto is all about solving paradoxical problems :-) 131

132 Off-line E-cash Main Idea: Include #, id, r in credential (#, r hidden from bank/issuer) Upon spending: reveal # and t = id + r u, with u randomly chosen by merchant t won't reveal anything about id! However, given two (or more) equations (for the same #, id, r) t1 = id + r u1 t2 = id + r u2 one can solve for id. 132

133 Off-line E-cash: Withdrawal choose random #, r, s' and compute C=a 1 # a 2 r bs' C of o r +p d = ce C a 3 nym bs mod n ) s, e (c, (c,e,s +s') s.t. d = ce a # a r 2 a nym 3 bs + s' (mod n)

134 Off-line E-cash: Payment Let G=<g> be a group of order q (c,e,s +s') s.t. e d= c a 1 # a r 2 a nym 3 s + s' b t, # compute t = r + u nym mod q c' = c bs'mod n proof = PK{(ε, µ, ρ, σ) : d/a 134 u, c', pr oo f = c'ε a ρa µ b σ (mod n) # 1 (mod n) 2 3 choose random u gt = gρ (gu)µ }

135 Off-line E-cash: Payment PK{(ε, µ, ρ, σ) : d/a 1. d = c'ε a 1 # 1 = c'ε a ρa µ b σ (mod n) gt = gρ (gu)µ } # 2 3 a ρa µ b σ (mod n) 2 => (c', ε, σ) 3 is a signature on (#, µ, ρ) 2. gt = gρ+uµ => t = ρ + u µ mod q, i.e., t was computed correctly! 135

136 Off-line E-cash: Deposit # Є L? If so: 1. t = ρ + u µ (mod q) 2. t' = ρ + u' µ (mod q) solve for ρ and µ. => µ = nym because of proof u, t, #, proof 136

137 Off-line E-cash: Security % Unforgeable: no more coins than #'s, otherwise one can forge signatures or proofs are not sound if coins with same # appears with different u's => reveals nym % Anonymity: # and r are hidden from signer upon withdrawal t does not reveal anything about nym (is blinded by r) proof proof does not reveal anything 137

138 Extensions and more e-cash % K-spendable cash Multiple serial numbers and randomizers per coin Use PRF to generate serial number and randomizers from seed in coin % Money laundering preventions Must not spend more that $10000 dollars with same party Essentially use additional coin defined per merchant that controls this Other protocols from these building blocks, essentially anything with authentication and privacy % Anonymous credentials, evoting,... Alternative building blocks % A number of signatures scheme that fit the same bill % (Verifiable) encryption schemes that work along as well % Alternative framework: Groth-Sahai proofs plus structure-preserving schemes 138

139 Conclusion 139

140 Conclusions % Roadmap Explain possibilities to engineers, policy makers etc Usable prototypes Public infrastructure for privacy protection Laws with teeth (encourage investment in privacy) % Challenges Internet services get paid with personal data (inverse incentive) End users are not able to handle their data (user interfaces..) Security technology typically invisible and hard to sell Solutions seems easier without privacy and security % Towards a secure information society Society changes quickly and gets shaped by technology Consequences are hard to grasp (time will show...) We must inform and engage in a dialog 140

141 Thank you! % jca@zurich.ibm.com % Links: github.com/p2abcengine & abc4trust.eu/idemix 141

142 References % D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In EUROCRYPT 87, vol. 304 of LNCS, pp Springer-Verlag, % S. Brands. Rapid demonstration of linear relations connected by boolean operators.in EUROCRYPT 97, vol of LNCS, pp Springer Verlag, % Mihir Bellare: Computational Number Theory % Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials. Crypto 2002, Lecture Notes in Computer Science, Springer Verlag. % Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag. % Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key Exchange. CRYPTO 2010: % Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on Computer and Communications Security 2009: % Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag. % M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages , Springer-Verlag, % E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of Certified Data. In Twelfth International Workshop on Security Protocols % Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology CRYPTO '93. Springer Verlag,

143 References % J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation. % David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM, Vol. 24 No. 2, pp , % David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology Proceedings of CRYPTO '82, % David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in Communications of the ACM, Vol. 28 No. 10, % Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: % Victor Shoup: A computational introduction to Number Theory and Algebra. Available from: % D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM. % D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, % J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances in Cryptology CRYPTO % T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology CRYPTO '

144 Zero Knowledge Proofs: Security Proof of Knowledge Property: If prover is successful with non-negl. probability, then she knows x = log g y, i.e., ones can extract x from her. Assume c {0,1}k and consider execution tree: c=0 x c = 2k-1 x.... x x If success probability for any prover (including malicious ones) is >2 -k then there are two accepting tuples (t,c1,s1) and (t,c2,s2) for the same t. 144

145 Zero Knowledge Proofs: Security Prover might do protocol computation in any way it wants & we cannot analyse code. Thought experiment: % Assume we have prover as a black box we can reset and rerun prover % Need to show how secret can be extracted via protocol interface t x t c x s t = gs yc = gs' yc' s' yc'-c = gs-s' y = g(s-s')/(c'-c) 145 c' x = (s-s')/(c'-c) mod q

146 Zero Knowledge Proofs: Security Zero-knowledge property: If verifier does not learn anything (except the fact that Alice knows x = log g y ) Idea: One can simulate whatever Bob sees. Choose random c', s' compute t := g s' c' y t c if c = c' send s' = s, otherwise restart s Problem: if domain of c too large, success probability becomes too small 146

147 Zero Knowledge Proofs: Security One way to modify protocol to get large domain c: x y, g Prover: Verifier: random r random c,v h := H(c,v) t := gr h := H(c,v)? s := r - cx h t c,v s t = gs yc? notation: PK{(α): y = gα } 147

148 Zero Knowledge Proofs: Security One way to modify protocol to get large domain c: Choose random c', s' compute t' := gs' yc' after having received c reboot verifier Choose random s compute t := gs yc send s h t' c,v h t c,v s 148

149 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,β1,α2,β2, α3, β3): C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = gα1gα2hβ3 } mean? Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1, C2= gα2hβ2 and C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3 α3 = a1 + a2 (mod q) And what about: PK{(α1,...,β3): C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3 α3 = a1 + 5 a2 149 C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = gα1 (g5)α2hβ3 } (mod q)

150 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = C2α1hβ3 } mean? PK{(α1,..,β3): Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1, C2= gα2hβ2 and C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2 α1hβ3+β2 α1 C3 = gα2 α1 hβ3+β2 α1 = gα3 hβ3' a3 = a1 a2 (mod q) And what about PK{(α1,β1 β2): 150 C1= gα1hβ1 C2= gα2hβ2 C2 = C1α1hβ2 } a2 = a12 (mod q)

151 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,..,β2): C1= gα1hβ1 C2= gα2hβ2 g = (C2/C1)α1hβ2 } mean? Prover knows values α, β1, β2 such that C1= gα1hβ1 g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2 g1/α1 = C2 g-α1h-β1 hβ2/α1 C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1 C2 = gα2 hβ2 α2 = α1 + a1-1 (mod q) 151

152 Pedersen's Commitment Scheme Pedersen's Scheme: Choose r Є Zq and compute c = gxhr Perfectly hiding: Let c be a commitment and u= logg h Thus c = gxhr = gx+ur = g(x+ur')+u(r-r') = gx+ur'hr-r' for any r'! I.e., given c and x' here exist r' such that c = gx'hr' Computationally binding: Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q 152