Technologies to Protect eprivacy

Transcription

1 Technologies to Protect eprivacy Lecture 1 Introduction Jan Camenisch IBM Research

2 We leave etraces, lots of etraces!

3 and are observed by lots of sensors

4 Information leaked, some examples! Network layer MAC address, physical characteristics IP address, location,...! OS & Applications Browser (fonts, plugins, time zone, screen size, color depth) Infrastructure services (instant messaging, downloading, ) Cloud storage, syncing of devices! Usage Web searches (Google, bing,...) Shopping history Friends networks (Facebook, Linked-in) egovernment 4

5 Why are these information collected?! To offer (better) services Shipping address Not having to enter information each time! To prevent attacks... DoS Wikipedia edits! To make money Advertisements (loads of money) Better service to customer Tailored products Price discrimination! Homeland security, police,! Criminals :-( 5 (source: wikipedia) 2014 IBM Corporation

6 Some opinions...! You have zero privacy anyway get over it. Scott McNealy, CEO Sun Microsystems, January 1999! If you have something that you don t want anyone to know, maybe you shouldn t be doing it in the first place. Eric Schmidt, CEO Google, December 2009! People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time. Marc Zuckerman, CEO Facebook, January

7 You have no privacy, get over it...?!?! Huge security problem! Millions of hacked passwords (100'000 followers $ ) Lost credit card numbers ($5-2013) Stolen identities ($ , $ , $5 2013) Lots of not reported issues (industrial espionage, etc)! Difficult to put figures down Credit card fraud Spam & marketing Manipulating stock ratings, etc..! We know secret services can do it easily, but they are not the only ones this is not about homeland security and there are limits to the degree of protection that one can achieve! end we have not event discussed social issues such as democracy etc! last but not least: data are the new money, so need to be protected Privacy by Design 7

8 Need to protect our data!! devices, sensors, etc cannot all be physically protected authentication of all devices authentication of all data...makes it even worse :-(! data cannot be controlled 8 minimize information encrypt information attach usage policies to each bit

9 So what can we do! Legal approach Regulate what information can be collected How to collect it How to use and protect it Issue fines for misbehavior Very different for different countries and cultures! Technological approach Protect data by encryption Govern data by policies Minimize data that needs to be used

10 A Closer Look at Data Collection

11 More data is collected! Collect more Expand an existing person-specific data collection.! Collect specifically Replace an existing aggregate data collection with a person-specific one.! Collect if you can Data collection per encounter for Illinois (bytes) Examples (based field size) Hospital visit Grocery visit Birth L. Sweeney. Information Explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies

12 Identifiability in the Internet! Every device connected to the Internet gets an Internet Protocol (IP) address assigned by the Internet Service Provider (ISP).! As long as the device stays connected, the IP address is a unique device identifier within the Internet.! Connection data may/must be logged for various reasons (e.g., billing purposes, advertisement, law enforcement, etc.)! Connection data/time/duration & contacted server IP address! In case of criminal offense, police may ask ISP for log files! ISP has customer s postal address (and bank data) for billing! Service providers (SP) may also log activities of their users! Linking data of SP and ISP reveals user s activities on the Web! MAC (media access control) addresses are unique identifiers per network interface (Ethernet, Bluetooth, Wifi, ) IETF considers random MACs! Hardware is unique and can be traced, even through hops..

13 We leak data e.g., browsers Property (bits of identifying info)! User Agent (13.76 bits)! HTTP ACCEPT Headers (3.8 bits)! Browser Plugin Details (19.56 bits)! Time Zone (2.58 bits)! Screen Size and Color Depth (4.98 bits)! System Fonts (19.56 bits)! Are Cookies Enabled? (1.95 bits)! Limited supercookie test (3.28 bits) Your browser fingerprint appears to be unique among the 3,872,607 tested so far

14 Disk Storage per Person (DSP) A rough measure of the growth in personal data [Sweeney 2001]: DSP = hard disk storage sold world population 28 MB in 1996 (Sweeney) 472 MB in 2000 (Edelstein, 2003) 5,200 GB in 2020 (IDC, 2012) Remarks Figures consider only non-removable media, and new devices sold Of course, other things that PII are stored From 2012 until 2020, the digital universe will about double every two years [Gantz and Reinsel, 2012]

15 Big Data A new generation of technologies and architectures, designed to economically extract value from very large volumes of a wide variety of data by enabling highvelocity capture, discovery, and/or analysis. Also: many organizations (government and private) make data publicly available Source: privacy that was previously protected only by the fact that data gathering was difficult can now be trivially violated. Samuel Weber, National Science Foundation (2012) Example: How To Break Anonymity of the Netflix Prize Dataset: Arvind Narayanan, Vitaly Shmatikov

16 Radical Change in Advertising , Web, social networks and mobile devices join in the conventional marketing channels (print media and TV / cinema, outdoor advertising, telemarketing, direct mail).! Benefits of digital media for the advertising industry Reaction of the target consumers is directly measurable in number of page views, click-through rate or conversion rate Scattering losses can be much better minimized Pay-per-click better validation of campaigns effectiveness! Advertising inserts according to time of day, weather, region, behavior audience-targeted advertisement Facts:

17 Ad Networks Source:

18 Summary! Networks, Devices, Apps are built to leak much more data than necessary! It has become very profitable to mine data for money! Big data mining money from all possible data has just started

19 Is this all legal?

20 Laws and regulations History! Notion of privacy has changes throughout history Curtains, shades, etc! Code of fair information practices (1973) Notice/Awareness Choice/Consent Access/Participation Integrity/Security Enforcement/Redress! Many laws follow the same principles US Privacy Act 1974 OECD Guidelines 1980 EU data protection directive 1995! But: Often only own citizens are protected! See, e.g., US laws! Laws are always lagging behind technology, often difficult to capture

21 OECD Privacy Principles! Collection Limitation There should be limits to the collection of personal data and any such data obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject.! Data Quality Personal data should be relevant to the purposes for which they are to be used, and, to the extend necessary for those purposes, should be accurate, complete and kept up-to-date.! Purpose Specification The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes.

22 OECD Privacy Principles! Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified under the preceding purpose specification principle except with the consent of the data subject, or by the authority of law.! Security Safeguards Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure.! Accountability A data controller should be accountable for complying with measures that give effect to the principles stated above.

23 OECD Privacy Principles! Openness There should be a general policy of openness about developments, practices and policies with respect to personal data.! Individual Participation An individual should have the right: to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; to have communicated to him, data relating to him within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and Individual Participation in a form that is readily intelligible to him; to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

24 Laws Throughout the World Privacy laws & regulations vary widely throughout the world! European Data Protection Directive privacy = fundamental human right requires all European Union countries to adopt similar comprehensive privacy laws revision in process (higher fines are foreseen)! US sets on self-regulation, some sector-specific laws, with relatively minimal protections Constitutional law governs the rights of individuals wrt the government Tort (Schadenersatz) law governs disputes between private individuals or other private persons Federal Trade Commission (FTC) deals with consumer protection HIPAA (Health Insurance Portability and Accountability Act, 1996) COPPA (Children s Online Privacy Protection Act, 1998) GLB (Gramm-Leach-Bliley-Act, 1999) over 7,000 State Legislations & Enforcement activity/class Actions! Australia: Privacy Act 1988, Amendment 2012 Notify users about collection; Notice if data are sent overseas, stronger access rights In most countries, fines are minimal. More information

25 The Worst Data Breaches of breaches during 2011 that involve 30.4 million sensitive records (2013: 601 breaches recorded, involving 55 million records)! Sony after over a dozen data breaches Sony faces class action lawsuits over its failure to protect over 100 million user records.! Epsilon 60 million customer s addresses! Sutter Physicians Services stolen desktop contained 3.3 million patients medical details including name, address, phone number, address & health insurance plan.! Tricare and SAIC backup tapes were stolen from the car of a Tricare employee; led to a $4.9 billion lawsuit being filed. Privacy Rights Clearinghouse (PRC) ( And the trend continues :-( Importance of strict privacy & security policies (incl. data retention) Avoid breaches simply by properly encrypting sensitive data or, better, using privacy enhancing technologies...

26 What can be do?... privacy by design!

27 of course there are limits...! tracing is so easy each piece of hardware is quite unique log files everywhere!. but that's not the point! it's not about NSA et al. active vs. passive adversaries... still, privacy by design!

28 Our Vision In the Information Society, users can act and interact in a safe and secure way while retaining control of their private spheres.

29 PETs Can Help! Privacy, Identity, and Trust Mgmt Built-In Everywhere!! Network Layer Anonymity... in mobile phone networks... in the Future Internet as currently discussed... access points for ID cards! Identification Layer Access control & authorization! Application Layer Standard e-commerce Specific Apps, e.g., evoting, OT, PIR,... Web 2.0, e.g., Facebook, Twitter, Wikis,... 29

30 RFID Tags & Tracking

31 Hidden Tracking RFID tags Groceries, Clothes, Books Passports also wifi, bluetooth, Problems Covert reading by radio Unique Identity Attacks Tracking and targeting, e.g., London: the bins are watching you Blacklisting, e.g., books Smart Bomb, Smart Robbing (cash) 31

32 RFID tags basics! RFID (Radio frequency id): read the identity of a tag by radio many different methods to communicate with the reader e.g., tree walking when many tags are present! Tag passive, energy from field, sending by field modulation chip (low number of gates & power), antenna, packaging Successor of barcodes: wireless significant improvements no-line of sight, can store (and process ) information multiple tags can be read concurrently 32

33 Use Cases! Tracking and tracing luggage, products, live stock supply chain mgmt inventory control sports timing! counterfeit detection drugs, mechanical parts, etc! access control buildings EZ pass, ticketing credit cards passports & identity cards 33

34 Characteristics Source: Gildas Avoine, Privacy Challenges in RFID, 2011 properties define life time, kind of data that can be stored and processed 34

35 Tag characteristics! supply chain 35! access control

36 Potential Privacy Issues! Unique id for all objects (worldwide)! RFID tags carry sensitive information! User might not be aware of the tags they carry medication, cloths, credit cards, etc! Tag can be read from a distance largely depends on the signal strength of reader! Even if contents is secure, location tracking still possible! Massive data aggregation, tracking and profiling Library! Alter stored data 36

37 Privacy Implications Information obtainable from reading tags, e.g.,! Tag present human present! Determining origin of human E.g., id-cards, credit card, library, cloths, etc! pure tracking (single tag, combination of tags)! hot-listing categorizing users of certain products, books, etc 37

38 RFID Protection Mechanisms

39 Different Categories of Remedies! Destroying Tags Specific commands Physically! Prevent communication of tags with readers blocking implementation of access control schemes! Better protocols, use of crypto difficult due to very limited resources of tags lightweight crypto as a new research field symmetric crypto only key management issues

40 Destroying tags User space solutions! Faraday Cage! RFID Zapper destroy tag emits strong field frying tag Industry provided solutions! Kill Command, deactivates chip needs password protection all or nothing privacy protection potential for misuse vandalism re-enable covertly! Clipping tags consumer choice visual feedback on state maybe read later on close (mechanical?) contact 40

41 some simple protocols

42 Better Protocols and use of Crypto Restrictions! Powered only when in range of reader extremely limited time to perform computations pre-computation impossible when tag is out of range! Extremely few gates as few as 5'000 are left for extra tasks even symmetric crypto impossible (encryption, hash functions, PRF) maybe not even enough for cryptographic PNG some feedback shift-register generators work no cryptographic security only simple password comparison and XOR works! collision avoidance protocols require (separate) identifier must not use static identifier, but random not possible! any solution uses at best symmetric crypto, but will require (complex) password/key management 42

43 Goals! Authenticate Reader towards chip! Using only very simple primitives XOR, maybe hash function, maybe PRF/PRN! Attacker model eavesdropping communication (including replay attacks) opening tags cloning tags initiate own communication with tags tracking 43

44 Simple Authentication (Molnar/Wagner) Assumption:! Channel Reader Tag eavesdroppable, Tag Reader secure.! Shared key s with all tags (library scenario): BIG DRAWBACK (unrealistic) Goal: Authentication of Command, Maintain Privacy of tags Reader shared secret s Tag Hello p=r s r cmd, p chooses random r verify p Analysis: - security against passive eavesdropping on the reader-to-tag link - adversary cannot replay protocol messages - nonce cannot be used to distinguish different tags 44 - but requires a good source of randomness (open problem!)

45 Basic PRF Private Authentication Scheme Assumption: Channel completely eavesdroppable, but can do PRFs on tag Reader random r1 find s s.t. p1 ok p2 = fs(1,r1,r2) shared secret s (per tag) Hello, r1 r2, p1 cmd, p2 Tag chooses random r2 p1 = fs(0,r1,r2) verify p2 Analysis! no system wide secret, but secret per Tag! provides privacy for tags, secure against passive eavesdropper! linear work on reader (can you improve that?) Improved solution requires tags to share keys reduces privacy...! Note: fs(i,r1,r2) can be used to encrypt the i-th messages with XOR 45

46 Sublinear Protocols (Cheon-Hong-Tsudik) Idea:! choose two sets of keys K1 and K2 of size n=sqrt(n)! assign unique pair (k1,k2) to each tag Reader random r1 ui = fk1(i)(r1,r2), i = 1,..,n shared secret (k1,k2) Hello, r1 r2, p Tag chooses random r2 p = fk1(r1,r2) fk2(r1,r2) vj = p fk2(j)(r1,r2), j = 1,..,n find (i,j) s.t. ui = vj Analysis:! Less work for reader!! But privacy decreases if too many tags compromised (forward security and probability of other tags), also no forward privacy 46! Extension: add a third key for authentication (use above protocol for identification)

47 Conclusion RFID! RFID tags are spreading! Tracking of equipment tightly linked to tracking people (hidden!) same or similar issues also exist for other devices (wifi, bluetooth, NFC) but easer to mitigate at least in theory! Privacy poorly addressed, proposed protocols still lacking hopefully more powerful tags in the future key management for large-scale systems might prevent any privacy Excellent RFID literature collection: 47

48 Anonymous Communication

49 Anonymous Communication Today: Internet = Postcard, sometimes encrypted (SSL, S/MIME..) However, communication can be linked by IP addresses and messages! Sender and Receiver might still reveal content of message be dangerous to sender or receiver Defeat the purpose of application (e.g., voting...)

50 Anonymous Communication Approaches! Encrypt messages between router, but routers still learn addresses! Hide addresses from routers, how? Limitations! If there is only Alice and Bob and all channels can be observed No anonymity Assume adversary is limited Assume enough messages travel (caching strategies)

51 A simple and elegant solution

52 Dining Cryptographers: Inputs none 1 none

53 Dining Cryptographers: Flip Pairwise Coins Assume we have secure point-to-point channels 0 none 1 none

54 Dining Cryptographers: Flip Pairwise Coins 0 none none

55 Dining Cryptographers: Announce Results 1=0'1 0 none none

56 Dining Cryptographers: Announce Results 1=0'1 1=0'0'1 0 none none

57 Dining Cryptographers: Announce Results 1=0'1 1=0'0'1 0 none 1 1 1=0'1 0 none

58 Dining Cryptographers: Compute Sent Msg 1=0'1 1=0'0'1 0 none 1 1=1'1'1 1 1=0'1 0 none

59 Dining Cryptographers: Discussion Security:! Information theoretic anonymity!! Can easily add encryption (orthogonal) Limitations! Requires broadcast channel! Rather inefficient for the whole internet (everyone would have to participate) Hierarchical schemes have been proposed

60 Trusted Third Party solutions

61 Anonymous Communication Using a Proxy AS Anonymity Service All traffic routed by Anonymity Service (e.g., anonymizer.com, VPNs)! Proxy and encryption (e.g., SSL) Send Web-request via SSL to AS, AS gets and provides page Trust only AS not all the routers anymore AS learns sender & receiver and contents! Using encryption (e.g., SSL to Bob with VPN to AS), so essentially Alice sends c1 = EncAS(Bob,EncBob(m)) to AS AS decrypts c1 and forwards EncBob(m) to Bob. AS learns sender & receiver and is single point of failure

62 Mix Networks To Weaken Trust in AS Route over several Anonymity Services:! Alice selects route she likes! Alice sends to first router (A1) c1 = EncA1(A2,EncA2(A3,EncA3(Bob,EncBob(m))))! Each AS peels off layer and forwards.! Still, there needs to be more that one message at the same time Properties:! Need to trust only one to hide address! Again: if Bob does not use encryption, end server learns content NOTE: SECURITY AGAINST CHOSEN CIPHERTEXT NEEDED!!!

63 Mix Networks Variations Variations:! Free path (onion routing) vs fixed path (mixes)! Provable vs take what you get Dropping, inserting, replaying,! Fixed Batches vs Real-time mixing strategies

64 Onion Routing

65 Onion Routing (Free Routes), e.g., TOR Each User chooses own route Server peels of layer of encryption, discovers whom to send next Problem: & How to mix & Encryption should not reveal number of (current) layers

66 Onion Routing Problem: size of ciphertexts depends on # of remaining routers EncA1(A2,EncA2(A3,EncA3(Bob,EncBob(m)))) Need to add name of next recipient And typical encryption scheme expands length (cf. ElGamal where an encryption of one group element results in a ciphertext of two group elements)

67 Onion Routing Solution: Notation: {m}k denotes the symmetric encryption of m under key k {e}k-1 denotes the symmetric decryption of e under key k Assume sender shares symmetric keys ki with each router: O1 = {{{{m}k4}k3}k2}k1, {{{Bob}k3}k2}k1, {{A3}k2}k1, {A2}k1 Receiving O1, Router A1 will compute: O'1 = {{{m}k4}k3}k2, {{Bob}k3}k2, {A3}k2, A2 A1 needs to grow onion again: chose random R and comp. O2 = {{m}k4}k3}k2, R, {{Bob}k3}k2, {A3}k2 A1 sends O2 to A2

68 Onion Routing! Receiving O2 = {{{m}k4}k3}k2, R, {{Bob}k3}k2, {A3}k2 A2 computes O'2 = {{m}k4}k3, {R }k2-1, {Bob}k3, A3! A2 needs to regrow onion: choose random R' and compute O3 = {{m}k4}k3, R', {R }k2-1, {Bob}k3! And so on. At some point Bob will receive: O4 = {m}k4, R, {R'}k3-1, {{R }k2-1}k3-1 He computes O'4 = m, {R }k4-1, {{R'}k3-1}k4-1, {{{R }k2-1}k3-1}k4-1 and, as {{{R }k2-1}k3-1}k4-1 does not match any name, outputs m

69 Onion Routing! How are keys distributed: O1 = {{{{m}k4}k3}k2}k1, {{{Bob}k3}k2}k1, {{A3}k2}k1, {A2}k1 Replace, e.g., A3 by (C3,A3), where C3 is encryption of k3 under A3's public key O1 = {{{{m}k4}k3}k2}k1, {{{C4, Bob}k3}k2}k1, {{C3,A3}k2}k1, {C2,A2}k1! What about chosen ciphertext security? I.e., ciphertext must not be changeable! To make ciphertext non-malleable, include hash of onion as label in public key encryption Routers cannot generate R' at random choose it pseudo randomly, e.g., R' = {0}k3-1 O3 = {{m}k4}k3, {0}k3-1, {R }k2-1, {C4, Bob}k3

70 Onion Routing! So Onion O4 is computed as follows: O4 = {m}k4, {0}k3-1, {{0}k2-1}k3-1, {{{0}k1-1}k2-1}k3-1, (C4,Bob), L4 where C4 = EncPKBob(k4,Hash(L4))! So Onion O3 is computed as follows: O3 = {{m}k4}k3, {{{0}k2-1}k3-1}k3, {{{{0}k1-1}k2-1}k3-1}k3, {C4,Bob}k3,(C3,A3) = {{m}k4}k3, {0}k2-1, {{0}k1-1}k2-1, {C4,Bob}k3, (C3,A3), where C3 = EncPK3(k3,Hash(L3))

71 Onion Routing! So Onion O3 is computed as follows: O3 = {{m}k4}k3, {{{0}k2-1}k3-1}k3,{{{{0}k1-1}k2-1}k3-1}k3, {C4,Bob}k3, (C3,A3) = {{m}k4}k3, {0}k2-1,{{0}k1-1}k2-1, {C4,Bob}k3, (C3,A3), where C3 = EncPK3(k3,Hash(L3))! So Onion O2 is computed as follows: O2 = {{{m}k4}k3}k2, {0}k1-1, {{C4,Bob}k3}k2, {(C3,A3)}k2,(C2,A2), where C2 = EncPK2(k2,Hash(L2))! So Onion O1 is computed as follows: O1 = {{{{m}k4}k3}k2}k1, {{{C4,Bob}k3}k2}k1, {{(C3,A3)}k2}k1,{(C2,A2)}k1,(C1,A1) where C1 = EncPK1(k1,Hash(L1))

72 Technologies to Protect eprivacy Lecture 2 Anonymous Credentials Jan Camenisch IBM Research

73 Privacy at the Authentication Layer Authentication without identification 73

74 What is an identity & identity management? language skills work marital status phone number salary credit card number shopping hobbies public authority name address birth date insurance nick name leisure blood group health status health care! ID: set of attributes shared w/ someone attributes are not static: user & party can add! ID Management: two things to make ID useful authentication means means to transport attributes between parties 74

75 Let's see a scenario 75

76 Alice wants to watch a movie at Mplex I wish to see Alice in Wonderland Alice Movie Streaming Service

77 Alice wants to watch a movie at Mplex You need: - subscription - be older than 12 Alice Movie Streaming Service

78 Watching the movie with the traditional solution ok, here's - my eid - my subscription Alice Movie Streaming Service

79 Watching the movie with the traditional solution Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service

80 Watching the movie with the traditional solution This is a privacy and security problem! - identity theft - profiling - discrimination Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service

81 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Alice Movie Streaming Service 81

82 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Alice Movie Streaming Service 82

83 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Aha, you are - Alice@facebook.com - born on Dec 12, Alice's friends are... - Alice's public profile is... Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 83

84 Identity Mixer solves this. When Alice authenticates to the Movie Streaming Service with Identity Mixer, all the services learns is that Alice has a subscription is older than 12 and no more.

85 Privacy-protecting authentication with IBM Identity Mixer Like PKI, but better:! One secret Identity (secret key)! Many Public Pseudonyms (public keys)

86 Privacy-protecting authentication with IBM Identity Mixer Like PKI, but better:! Issuing a credential Name = Alice Doe Birth date = April 3, 1997

87 Privacy-protecting authentication with Privacy ABCs Alice Movie Streaming Service 87

88 Privacy-protecting authentication with IBM Identity Mixer I wish to see Alice in Wonderland You need: - subscription - be older than 12 Alice Movie Streaming Service 88

89 Privacy-protecting authentication with IBM Identity Mixer Alice Movie Streaming Service 89

90 Privacy-protecting authentication with IBM Identity Mixer I wish to see Alice in Wonderland You need: - subscription - be older than 12 Alice Movie Streaming Service 90

91 Privacy-protecting authentication with IBM Identity Mixer Like PKI! but does not send credential! only minimal disclosure Alice - valid subscription - eid with age 12 Movie Streaming Service

92 Privacy-protecting authentication with IBM Identity Mixer Like PKI! but does not send credential! only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 - have a subscription Alice Movie Streaming Service 92

93 Advantages of Identity Mixer! For Users: privacy minimizing disclosure of personal data keeping their identities safe pseudonymous/anonymous access! For Service Providers: security, accountability, and compliance avoiding the risk of loosing personal data if it gets stolen compliance with legislation (access control rules, personal data protection) strong authentication (cryptographic proofs replace usernames/passwords) user identification if required (under certain circumstances) 93

94 Demo Try yourself at on Privacy Day (January 28)

95 Further Concepts 95

96 Concept Inspection Inspector parameters TTP Inspection grounds If car is damaged: ID with insurance or gov't needs be retrieved Similarly: verifiably encrypt any certified attribute (optional) TTP is off-line & can be distributed to lessen trust 96

97 Concept Revocation Revocation authority parameters (public key) Revocation info If Alice was speeding, license needs to be revoked! There are many different use cases and many solutions Variants of CRL work (using crypto to maintain anonymity) Accumulators Signing entries & Proof,... Limited validity certs need to be updated... For proving age, a revoked driver's license still works 97

98 Concept Usage Limitation Degree of anonymity can be limited:! If Alice and Eve are on-line at the same time, they are caught!! Use Limitation anonymous until: If Alice used certs > 100 times total or > 10'000 times with Bob! Alice's cert can be bound to hardware token (e.g., TPM) 98

99 A couple of use cases 99

100 Age verification Proving 12+, 18+, 21+ without disclosing the exact date of birth privacy and compliance with age-related legislation! Movie streaming services! Gaming industry! Online gambling platforms! Dating websites! Social benefits for young/old people 100

101 Healthcare Anonymous treatment of patients (while enabling access control and payments)! Anonymous access to patients' records accessing medical test results! Anonymous consultations with specialists online chat with a psychologist online consultation with IBM Watson! Eligibility for the premium health insurance proving that the body mass index (BMI) is in the certain range without disclosing the exact weight, height, or BMI 101

102 Subscriptions, membership Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.)! Patent databases! DNA databases! News/Journals/Magazines! Transportation: tickets, toll roads! Loyalty programs??? 102

103 Polls, recommendation platforms Providing anonymous, but at the same time legitimate feedback! Online polls applying different restrictions on the poll participants: location, citizenship! Rating and feedback platforms anonymous feedback for a course only from the students who attended it wikis recommendation platforms 103

104 Towards Realizing Anonymous Creds 104

105 An Software Stack View on Identity Mixer application layer resource request presentation policy presentation token Wallet AC & app logic store policy layer crypto layer policy credential matcher evidence gen. orchestration store credential mgr Sig Enc... Com... ZKP policy token matcher store evidence verif. orchestration token mgr Sig Enc... Com... ZKP

106 The Policy Layer An Example: Presentation policy pecuid> metersuid> User Verifier presentation policy presentation token 106

107 Privacy-protecting authentication with Privacy ABCs Alice Movie Streaming Service 107

108 Required Technologies Signature Schemes Encryption Schemes Zero-Knowledge Proofs Commitment Schemes... challenge is to do all this efficiently!

109 zero-knowledge proofs 109

110 Zero-Knowledge Proofs! interactive proof between a prover and a verifier about the prover's knowledge Commitment Challenge Response! properties: zero-knowledge verifier learns nothing about the prover's secret proof of knowledge (soundness) prover can convince verifier only if she knows the secret completeness if prover knows the secret she can always convince the verifier 110

111 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Given group <g> and element y Є <g>. Prover wants to convince verifier that she knows x s.t. y = gx such that verifier only learns y and g. Prover: x random r t := gr t c s := r - cx y, g Verifier: s random c t = g s yc? notation: PK{(α): y = gα } 111

112 Zero Knowledge Proofs Proof of knowledge: if a prover can successfully convince a verifier, then the secret need to be extractable. Prover might do protocol computation in any way it wants & we cannot analyse code. Thought experiment:! Assume we have prover as a black box we can reset and rerun prover! Need to show how secret can be extracted via protocol interface x t t c c' x s t = gs yc = gs' yc' yc'-c = gs-s' y = g(s-s')/(c'-c) s' x = (s-s')/(c'-c) mod q

113 Zero Knowledge Proofs: Security Zero-knowledge property: If verifier does not learn anything (except the fact that Alice knows x = log g y ) Idea: One can simulate whatever Bob sees. Choose random c', s' compute t := g s' c' y if c = c' send s' = s, otherwise restart t c s Problem: if domain of c too large, success probability becomes too small

114 Zero Knowledge Proofs of Knowledge of Discrete Logarithms One way to modify protocol to get large domain c: Prover: x random r t := gr h := H(c,v)? s := r - cx y, g Verifier: h t random c,v h := H(c,v) c,v s t = g s yc? notation: PK{(α): y = gα } 114

115 Zero Knowledge Proofs: Security One way to modify protocol to get large domain c: Choose random c', s' compute t' := gs' yc' after having received c reboot verifier Choose random s compute t := gs yc send s h t' c,v h t c,v s

116 From Protocols To Signatures Signature SPK{(α): y = gα }(m): Signing a message m: - chose random r Є Zq and - compute c := H(gr m) = H(t m) s := r - cx mod (q) - output (c,s) Verifying a signature (c,s) on a message m: - check c = H(gs yc m)? 116 t = gs y c? Security: - underlying protocol is zero-knowledge proof of knowledge - hash function H(.) behaves as a random oracle.

117 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα z = gβ u = gβhα } PK{(α,β): y = gα z = gβ } als and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): SPK{(α): y = gα }(m) 117

118 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,β1,α2,β2, α3, β3): C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = gα1gα2hβ3 } mean? Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1, C2= gα2hβ2 and C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3 α3 = a1 + a2 (mod q) And what about: PK{(α1,...,β3): C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3 α3 = a1 + 5 a2 118 C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = gα1 (g5)α2hβ3 } (mod q)

119 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = C2α1hβ3 } mean? PK{(α1,..,β3): Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1, C2= gα2hβ2 and C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2 α1hβ3+β2 α1 C3 = gα2 α1 hβ3+β2 α1 = gα3 hβ3' a3 = a1 a2 (mod q) And what about PK{(α1,β1 β2): 119 C1= gα1hβ1 C2= gα2hβ2 C2 = C1α1hβ2 } a2 = a12 (mod q)

120 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,..,β2): C1= gα1hβ1 C2= gα2hβ2 g = (C2/C1)α1hβ2 } mean? Prover knows values α, β1, β2 such that C1= gα1hβ1 g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2 g1/α1 = C2 g-α1h-β1 hβ2/α1 C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1 C2 = gα2 hβ2 α2 = α1 + a1-1 (mod q) 120

121 signature schemes 121

122 RSA Signature Scheme for reference Rivest, Shamir, and Adlemann 1978 Secret Key: two random primes p and q Public Key: n := pq, prime e, and collision-free hash function H: {0,1}* -> {0,1}ℓ Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1) s := H(m) d mod n Verification of signature s on a message m Є {0,1}* se = H(m) Correctness: se = (H(m)d)e = H(m)d e = H(m) 122 (mod n) (mod n)

123 RSA Signature Scheme for reference Verification signature on a message m Є {0,1}* se := H(m) (mod n) Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) } But this is not a valid proof expression!!!! :-( 123

124 CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n k signature is (c,e,s)

125 CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a 1 m1... a k mk bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 125

126 Proving Knowledge of a CL-signature Recall: d = ce a1m1a2m2 bs mod n Observe:! Let c' = c btmod n with randomly chosen t! Then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1! provide c'! PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } proves d := c'ε a1µ1 a2m2b σ 126

127 Technologies to Protect eprivacy Lecture 3 Anonymous Credentials II Jan Camenisch IBM Research

128 Privacy-protecting authentication with Privacy ABCs commitment scheme signature scheme Alice zero-knowledge proofs 128

129 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα z = gβ u = gβhα } PK{(α,β): y = gα z = gβ } Intervals and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): SPK{(α): y = gα }(m) 129

130 CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n k signature is (c,e,s)

131 CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a 1 m1... a k mk bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 131

132 Proving Knowledge of a CL-signature Recall: d = ce a1m1a2m2 bs mod n Observe:! Let c' = c btmod n with randomly chosen t! Then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1! provide c'! PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } proves d := c'ε a1µ1 a2m2b σ 132

133 commitment scheme 133

134 Commitment Scheme: Functionality m m m, ? mє m

135 Commitment Scheme: Security Binding m, m', ? m є m? m' є m

136 Commitment Scheme: Security Binding m, m', ? m є m? m' є m

137 Commitment Scheme: Security Hiding: for all message m, m' m m' m m'

138 Commitment Scheme: Security Hiding: for all message m, m' m m' m m'? m m' m m'

139 Commitment Schemes Group G = <g> = <h> of order q To commit to element x Є Zq: Pedersen: perfectly hiding, computationally binding choose r Є Zq and compute c = gxhr ElGamal: computationally hiding, perfectly binding: choose r Є Zq and compute c = (gxhr, gr) To open commitment: reveal x and r to verifier verifier checks if c = gxhr

140 Pedersen's Commitment Scheme Pedersen's Scheme: Choose r Є Zq and compute c = gxhr Perfectly hiding: Let c be a commitment and u= logg h Thus c = gxhr = gx+ur = g(x+ur')+u(r-r') = gx+ur'hr-r' for any r'! I.e., given c and x' here exist r' such that c = gx'hr' Computationally binding: Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q

141 Commitment Scheme: Extended Features Proof of Knowledge of Contents m Proof m true Proof of Relations among Contents m, m' Proof m = 2 m' m m' true

142 Commitment Scheme: Extended Features Let C1 = gmhr and C' = gm'hr then: m Proof m true PK{(α,β): C = gβhα } m, m' Proof m = 2 m' PK{(α,β,γ): m m' true C' = gβhα C = (g2)βhγ }

143 putting things together 143

144 Realizing Pseudonyms and Key Binding! Let G = <g> = <h> of order q! User's secret key: random sk Zq! To compute a pseudonym Nym Choose random r Zq Compute Nym = gskhr 144

145 Privacy-protecting authentication with Privacy ABCs Like PKI, but better:! Issuing a credential Name = Alice Doe Birth date = April 3, 1997 Concept: credentials 145

146 Realizing Issuance of Credential Recall: a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 e d = c a m1... a 1 mk k bs mod n Problem: Pseudonym not in message space! Solution: Sign secret key instead d = ce a 1 sk a 2 m2... a mk k bs mod n New Problem: how can we sign a secret message? 146

147 Realizing Issuance of Credential n, ai, b, d C=a 1 sk bs'

148 Realizing Issuance of Credential σ' } {( K P C=a 1 sk σ, 1 µ ' ): C C n, ai, b, d µ1 b a = 1 e m a,n bs'

149 Realizing Issuance of Credential n, ai, b, d σ' } {( K P C=a 1 sk σ, 1 µ ' ): C C µ1 b a = 1 e m a,n ) s, e, c ( c = (d/c a name 2 bs )1/e mod n bs'

150 Realizing Issuance of Credential n, ai, b, d σ' } {( K P C=a 1 sk σ, 1 µ ' ): C C µ1 b a = 1 e m a,n ) s, e, c ( c = (d/c a name 2 bs )1/e mod n bs' d = ce a sk 1 a 2 name bs + s' (mod n)

151 Realizing Issuance of Credential Want to sign w.r.t. Nym = gskhr n, ai, b, d

152 Realizing Issuance of Credential Want to sign w.r.t. Nym = gskhr ρ µ1 h =g {(µ K P 1 n, ai, b, d σ' } m m a y n N, : m ) y,σ' N ρ, C, C ρ b 1 µ a2 a = 1 stores Nym, name e c = (d/c a name 3 bs )1/e mod n sk r Nym = g h C=a 1 sk a r 2 bs' d = ce a sk 1 a ra 2 3 name bs + s' (mod n)

153 Polling: Scenario and Requirements Scenario:! Pollster(s) and a number of users! Only registered user (e.g., students who took a course) can voice opinion (e.g., course evaluation)! User can voice opinion only once (subsequent attempts are dropped)! Users want to be anonymous! A user's opinion in different polls must not be linkable

154 Polling Solution: Registration (n,a1,a2,b,d)! User generates pseudonym (ID for registration)! User obtains credential on pseudonym stating that she is eligible for polls, i.e., (c,e,s) d = ce a sk 1 a 2 r a 3 attr bs (mod n)! Credential can contain attributes (e.g., course ID) about her

155 Polling Solution: Submit Poll 1. User generates domain pseudonym, domain = pollid 2. User transforms credential 3. Transformed credential with a subset of the attributes User is anonymous and unlinkable Multiple opinions are detected because uniqueness of domain pseudonym

156 Polling Solution: Polling 1. Domain pseudonym: P = gdsk = H(pollID)sk P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble (under the Decisional Diffie-Hellman assumption) 2. User transforms credential: c' = c bs'mod n with randomly chosen s' SPK{(ε, µ1, µ2, µ3,σ) : P = gdµ1 d := c'ε a1µ1 a2µ2a3µ3b σ (mod n) µ1, µ2, µ3 Є {0,1}ℓ ε > 2ℓ+1 }(opinion)

157 Concept Inspection Inspector parameters TTP Inspection grounds If car is damaged: ID with insurance or gov't needs be retrieved Similarly: verifiably encrypt any certified attribute (optional) TTP is off-line & can be distributed to lessen trust 157

158 Public Key Encryption Key Generation Encryption Decryption

159 Security Like Envelopes!? No info about message

160 Security Like Envelopes!? or? This is called semantic security (secure if used once only.)

161 ElGamal Encryption Scheme! Group G = <g> of order q! Secret Key Group x Є {1,...,q}; Public key y = gx! To encrypt message m Є <g>: choose random r Є {1,...,q}; compute c = (yr m, gr)! To decrypt ciphertext c = (c1,c2) We know c = (yr m, gr) = (gxr m, gr) Thus set m = c1 c2-x = yr m g-xr = yr-r m = m

162 Realizing Inspection Nym Nym = gskhr y= gx d = ce a ska ra name bs + s' (mod n) 1 2 3! Encrypt Nym : random u Є {1,...,q} and enc = (yu Nym, gu) = (e1,e2)! Compute proof token (presentation token): compute c' = c btmod n with randomly chosen t compute proof PK{(ε, µ1, µ2, µ3, σ) : d := c'ε a1µ1a2µ2a3µ3b σ e1 = yρ gµ1hµ2 e2 = gρ» µ1, µ3, µ3 Є {0,1}ℓ ε > 2ℓ+1 }

163 Revocation of credentials

164 Anonymous Credential Revocation various reasons to revoke credential & user lost credential / secret key & misbehavior of user publishes revocation info looks up Alice should be able to convince verifier that her credential is among the good ones! 164

165 Anonymous Credential Revocation & Pseudonyms standard revocation lists don't work? 165

166 Revocable Credentials: First Solution! Include into credential some credential ID ui as message, e.g., d = ce a 1 sk a 2 ui bs + s' (mod n)! Publish list of all valid (or invalid) ui's. (u1,..., uk)! Alice proves that her ui is on the list. Choose random g Compute Uj = guj for uj in (u1,..., uk) Prove PK{(ε, µ, ρ, σ) : ( d = c'ε a ρa µ b σ (n) U1 = gµ ) 1 2 (( ( (d = c'ε a ρa µ b σ (mod n) Uk = gµ ) } 1 2! Not very efficient, i.e., linear in size k of list :-(

167 Revocable Credentials: Second Solution! Include into credential some credential ID ui as message, e.g., d = ce a ska ui bs + s' (mod n) 1 2! Publish list of all invalid ui's. (u1,..., uk)! Alice proves that her ui is not on the list. Choose random h and compute U = hui Prove PK{(ε, µ, ρ, σ) : d = c'ε a ρa µ b σ (mod n) 1 2 U = hµ } Verifier checks whether U = huj for all uj on the list.! Better, as only verifier needs to do linear work (and it can be improved using so-call batch-verification...)! What happens if we make the list of all valid ui's public?! If credential is revoked, all past transactions become linkable...

168 Revocable Credentials: Second Solution Variation: verifier could choose h and keep it fixed for a while! Can pre-compute list Ui = hui! single table lookup! BUT: if user comes again, verifier can link!!!! ALSO: verifier could not change h at all! or use the same as other verifiers! one way out h = H(verifier, date), so user can check correctness. date could be the time up to seconds and the verifier could just store all the lists, i.e., pre-compute it.

169 Revocable Credentials: Second Solution better implementation of proof : Issuer signs intervals between revoked # revocation list: #1,#4,#5, Sig( 0,#1) Sig(#1,#4) Sig(#4,#5) Sig(#5, N ) #3 #3 #3 Verifier does not learn #, #i, #j! #3 contains # where #i < # <#j and Sig(#i,#j) Sig(#i,#j) can be realised also with credential signature scheme, using different public key

170 Revocable Credentials: Third Solution Using cryptographic accumulators: credentials contain random serial number # Issuer accumulates all "good" serial numbers #2 #3 #1 #2 #2 #6 #4 #5 #2 contains # that is included in Proof requires witness

171 Revocable Credentials: Third Solution Using cryptographic accumulators: to revoke #2 issuer publishes new accumulator & new witnesses for unrevoked credentials #2 #3 #1 #2 #2 #6 #4 #5 #2 contains # that is included in Proof would require witness

172 Revocable Credentials: Third Solution #2 Using so-called cryptographic accumulators:! Key setup: RSA modulus n, seed v #3 #1! Accumulate: values are primes ei #6 #4 #5 accumulator value: z = v Π ei mod n publish z and n witness value x for ej : s.t. z = x ej mod n can be computed as x = v e1... ej-1 ej+1... ek mod n! Show that your value e is contained in accumulator: provide x for e verifier checks z = x e mod n

173 Revocable Credentials: Third Solution Security of accumulator: show that e s.t. z = x e mod n for e that is not contained in accumulator: For fixed e: Equivalent to RSA assumption Any e: Equivalent to Strong RSA assumption #2 #3 #1 #6 #4 #5 Revocation: Each cert is associated with an e and each user gets witness x with certificate. But we still need: Efficient protocol to prove that committed value is contained in accumulator. Dynamic accumulator, i.e., ability to remove and add values to accumulator as certificates come and go.

174 Revocable Credentials: Third Solution! Prove that your key is in accumulator: Commit to x: choose random s and g and compute U1 = x hs, U2 = gs and reveal U1,U2, g Run proof-protocol with verifier PK{(ε, µ, ρ, σ, ξ, δ) : d = c'ε a ρa µ b σ (mod n) z = U1µ(1/h)ξ (mod n) 1 2 µ ξ δ 1 = U2 (1/g) (mod n) U2 = g (mod n)}

175 Revocable Credentials: Third Solution! Analysis No information about x and e is revealed: (U1, U2) is a secure commitment to x proof-protocol is zero-knowledge Proof is indeed proving that e contained in the certificate is also contained in the accumulator: a) 1 = U2µ(1/g)ξ = (gδ)µ (1/g)ξ (mod n) => ξ = δ µ b) z = U1µ(1/h)ξ =U1µ(1/h)δ µ =(U1/hδ )µ c) d = c'ε a ρa µ b σ (mod n) 1 (mod n) 2

176 Revocation: Third Solution Dynamic Accumulator! When a new user gets a certificate containing enew Recall: z = v Π ei mod n Thus: z' = z enew mod n But: then all witnesses are no longer valid, i.e., need to be updated x' = x enew mod n

177 Revocation: Third Solution Dynamic Accumulator! When a certificate containing erev revoked Now z' = v Π ei = z 1/erev mod n Witness: Use Ext. Euclid to compute a and b s.t. a eown + b erev = 1 Now x' = x b z' a mod n Why: x'eown = ((x b z' a )eown) erev 1/erev mod n = ((x b z' a )eown erev ) 1/erevmod n = ((x eown) b erev (z' erev) a eown) 1/erev mod n = (z b erev z a eown ) 1/erev mod n = z 1/erev mod n = z' :-)

178 Revocation: Third Solution (improved) Dynamic Accumulator: in case the issuer knows the factorization of n! When a new user gets a certificate containing enew Recall: z = v Π ei mod n Actually v never occurs anywhere... so: v' = v 1/enew mod n and x = z 1/enew mod n Thus z needs not to be changed in case new member joins!! Witnesses need to be recomputed upon revocation only!

179 Revocation: Zeroth Solution Update of Credentials: encode validity time as attribute if credential is valid no need to check revocation updates from issuer no additional effort for verifier 179

180 Revocation: Zeroth Solution Re-issue certificates (off-line interaction might be too expensive) U Recall issuing for identity mixer: U := a 1 m1 a m2 2 bs' Choose e,s c = (d/(ua (c,e,s ) 3 m3 a 4 time bs ))1/e mod n

181 Revocation: Zeroth Solution Re-issue certificates (off-line interaction might be too expensive)! Idea: just repeat last step for each new time time': Choose ei,si ci = (d/(ua 3 m3' a 4 time' bsi ))1/ei mod n (ci,ei,si )! Update information (ci,ei,si ) can be pushed to user by many different means

182 References! D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In EUROCRYPT 87, vol. 304 of LNCS, pp Springer-Verlag, 1988.! S. Brands. Rapid demonstration of linear relations connected by boolean operators.in EUROCRYPT 97, vol of LNCS, pp Springer Verlag, 1997.! Mihir Bellare: Computational Number Theory Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials. Crypto 2002, Lecture Notes in Computer Science, Springer Verlag.! Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag.! Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key Exchange. CRYPTO 2010: ! Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on Computer and Communications Security 2009: ! Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag.! M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages , Springer-Verlag, 2003.! E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of Certified Data. In Twelfth International Workshop on Security Protocols Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology CRYPTO '93. Springer Verlag, 1993.! J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation.

183 References! David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM, Vol. 24 No. 2, pp , 1981.! David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology Proceedings of CRYPTO '82, 1983.! David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in Communications of the ACM, Vol. 28 No. 10, 1985.! Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: ! Victor Shoup: A computational introduction to Number Theory and Algebra. Available from: D. Molnar and D. Wagner: Privacy and Security in Library RFID. Issues, Practices, and Architectures. In ACM CCS 2004.! G. Avoine, M.A. Bingöl, X. Carpent. S.B.O. Yalcin: Privacy-Friendly Authentication in RFID Systems: On Sublinear Protocols Based on Symmetric-Key Cryptography. In IEEE Transactions on Mobile Computing, 2013.! J.H. Cheon, J. Hong, G. Tsudik: Reducing RFID reader load with the meet-in-the-middle strategy. In Journal of Communications and Networks (14): (2012)! M. Ohkubo, K. Suzuki, S. Kinoshita: Efficient hash-chain based RFID privacy protection scheme. In: UbiComp Workshop, Ubicomp Privacy: Current Status and Future Directions (2004)! D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM.! D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1988.! J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances in Cryptology CRYPTO 2003.! J. Camenisch and A. Lysyanskaya: A Formal Treatment of Onion Routing. In Advances in Cryptology - CRYPTO 2005.! J. Camenisch and A.Mityagin: Mix-Network with Stronger Security. In Privacy Enhancing Technologies PET 2005.! T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology CRYPTO '84.

184 Conclusions! Roadmap Explain possibilities to engineers, policy makers etc Usable prototypes Provide transparency Public infrastructure for privacy protection Laws with teeth (encourage investment in privacy)! Challenges Internet services get paid with personal data (inverse incentive) End users are not able to handle their data (user interfaces..) Security technology typically invisible and hard to sell! Towards a secure information society Society changes quickly and gets shaped by technology Consequences are hard to grasp (time will show...) We must inform and engage in a dialog 184

185 Thank you!! Links: idemixdemo.zurich.ibm.com! Code github.com/p2abcengine & abc4trust.eu/idemix 185