Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich

Transcription

1 Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich

2 ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving & auditable data exchange 2

3 Strong User Authentication Strong (user) authentication via certificates / attribute-based credentials Many European countries have or will introduce e cards Desirable for security, but detrimental for privacy Existing schemes require full information disclosure & user is linkable in all transactions This is a privacy and security problem! Linkability enables tracking & profiling of users Acquired personal data requires protection Aha, you are Alice Doe born on Dec 12, 1978 live at Waterdrive 22, Berlin e expires Aug 4, 2018 Name Alice Doe Date Of Birth Dec 12, 1978 Address Waterdrive 22 City Berlin Country Germany Expiry Date Aug 4, 2018 Service Provider Movie Streaming Service 3

4 Strong & Privacy-Preserving User Authentication Envisioned by Chaum in 1981, first full scheme by Camenisch & Lysyanskaya in 2001 User can selectively disclose each attribute User can prove predicates over the attributes, e.g., I'm over 18 Unlinkable authentication as default, linkability as an option Pseudonym Moviefan Name Alice Doe Date of Birth > 18 years ago Address 7 Waterdrive City 8003 Zurich Country Germany Expiry Date > today Service Provider Aha, you are user Moviefan, from Germany, have valid e and are over 18! Movie Streaming Service 4

5 Strong & Privacy-Preserving User Authentication Envisioned by Chaum in 1981, first full scheme by Camenisch & Lysyanskaya in 2001 User can selectively disclose each attribute User can prove predicates over the attributes, e.g., I'm over 18 Unlinkable authentication as default, linkability as an option Aha, you have are user Alice2000,... Pseudonym Alice200 Name Alice Doe Date of Birth > 18 years ago Address 7 Waterdrive City 8003 Zurich Country Germany Expiry Date > today Service Provider Alice2000 = Moviefan? Movie Streaming Service 5

6 Privacy-Enhancing Credentials Existing Solutions Most prominent core-credential/signature schemes: Identity Mixer (IBM) U-Prove (Microsoft) 6 Multi-use credentials Zero-Knowledge Proofs Strong RSA, pairings (LRSW, qsdh) One-time use credentials (multi-use via batch-issuance) Blind Signatures RSA, DL

7 Privacy-Enhancing Credentials Extended Features Many more extensions & properties: Revocation, multi-credential proofs, issuance with carry-over attributes, conditional disclosure, symmetric credentials Various cryptographic realizations 7

8 Privacy-Enhancing Credentials Generic Framework ABC4Trust (EU project) Technology-independent & easy-to-use framework Comprehensive & standardized language framework Technology-agnostic credential & policy handling on top of crypto engine Generic, automated crypto engine request resource application layer Credential Wallet Browser/ Application presentation policy presentation token Application Access Control Engine policy layer User Credential Engine policy credential matcher evidence generation orchestration storage credential mgr Verifier Credential Engine policy token matcher evidence verification orchestration storage token mgr crypto layer Crypto Engine ZKP Sig Crypto Engine Com ZKP Sig Com 8

9 Privacy-Enhancing Credentials New Applications V2X communication (vehicles (V2V) and infrastructure (V2I)) Security needs: authentication & privacy Current approach: pseudonym CA Privacy-credentials fit perfectly! (almost) Pseudonym CA status msg revocation status Long-term CA long-term certificate pseudonym certificates Hardware-based device/user attestation (DAA) Draft for FO standard TPM FO ("Fast entity Online") Alliance = industry consortium developing standardized strong user/device authentication Blockchain: eternal and public transaction ledger Privacy credentials needed to avoid privacy nightmare Identity Mixer being integrated into Hyperledger Fabric IBM joined the Sovrin Foundation decentralized digital identity network 9

10 ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving & auditable data exchange [CL15] Camenisch, Lehmann. (Un)linkable Pseudonyms for Governmental bases. CCS15. [CL17] Camenisch, Lehmann. Privacy-Preserving User-Auditable Pseudonym Systems. IEEE EuroSP17. 10

11 Pseudonym System Motivation How to exchange and correlate (pseudonymous) data? E.g., ehealth records, social security system User-centric conversion inconvenient & unreliable Laboratory Health Insurance Unique Doctor A Hba02 912uj Doctor B Bob.0411 Hospital sd7ab y2b4m 11

12 Pseudonym System Globally Unique Pseudonyms gets associated with globally unique identifiers / pseudonyms E.g., social security number in US, Belgium, Sweden,... Laboratory Health Insurance Unique Bob.0411 Doctor A Hospital Hba02 912uj sd7ab Doctor B Unique identifiers are security & privacy risk y2b4m no control about data exchange & usage if associated data is lost, all pieces can be linked together linkability of data allows re-identification of anonymized data (e.g. Netflix challenge) 12

13 Pseudonym System Local Pseudonyms & Trusted Converter User data is associated with random looking local identifiers the pseudonyms Only central entity the converter can link & convert pseudonyms new Japan e / social security number system (?) Converter Main Doctor A Hospital Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange Record of from Hospital? Record of? + if records are lost, pieces cannot be linked together Doctor A Hospital Hba02 912uj sd7ab y2b4m 13

14 Pseudonym System Local Pseudonyms & Trusted Converter 14 User data is associated with random looking local identifiers the pseudonyms Only central entity the converter can link & convert pseudonyms User Portal for Bob.0411 Doctor A Hospital. 02/26/2017 Unique Bob.0411 Converter Main Doctor A Hospital Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange Record of from Hospital? Record of? + if records are lost, pieces cannot be linked together Doctor A Hospital + converter can provide audit logs to users (GDPR-requirement) converter learns all request & knows all correlations Hba02 912uj sd7ab y2b4m

15 Pseudonym System Local Pseudonyms & Oblivious Converter 15 User data is associated with random looking local identifiers the pseudonyms Only central entity the converter can link & convert pseudonyms User Portal for Bob.0411 Doctor A Hospital. 02/26/2017 Unique Bob.0411 Converter Main Doctor A Hospital Alice.1210 Hba02 7twnG Bob.0411 Carol uj sd7ab + control about data exchange Record of from Hospital? Record of? + if records are lost, pieces cannot be linked together Doctor A Hospital + converter can provide audit logs to users (GDPR-requirement) converter learns all request & knows all correlations Hba02 912uj sd7ab y2b4m

16 (Un)linkable Pseudonyms Pseudonym Generation User, converter & server jointly derive pseudonyms from unique identifiers Doctor A Converter Hba02 912uj Hospital Unique Bob.0411 [CL15] generation triggered by converter, knows unique s [CL17] oblivious pseudonym generation triggered by user sd7ab y2b4m 16

17 (Un)linkable Pseudonyms Pseudonym Conversion Only converter can link & convert pseudonyms, but does so in a blind way Converter Record of at Hospital Record of? blind conversion Record of at Hospital Record of at Hospital Doctor A blind conversion request unblinding conversion response Record of? Record of? Hba02 912uj Hospital sd7ab y2b4m 17

18 (Un)linkable Pseudonyms Consistency pseudonym generation is deterministic & consistent with blind conversion Doctor A Converter Hba02 912uj Hospital Unique Bob.0411 sd7ab y2b4m 18

19 (Un)linkable Pseudonyms Consistency pseudonym conversions are transitive, unlinkable data can be aggregated Invoice for Doctor A Hba02 Converter 912uj Invoice for Invoice for RtE14 Insurance Hospital 6Wz6P fx4o7 RtE14 $ $ $ sd7ab y2b4m 19

20 (Un)linkable Pseudonyms User Audits [CL17] every pseudonym conversion triggers blind generation of audit log entry Audit Bulletin Board Converter Doctor A Hba02 912uj Hospital Doctor A Hospital. 02/26/2017 Unique Bob.0411 sd7ab y2b4m 20

21 (Un)linkable Pseudonyms Security Model Universal composability (UC) model convenient & simple for privacy-preserving systems NymGen, S A NymGen, S B F Nyms: [U i, S A, nym i,a ] [U i, S B, nym i,b ]. Conversion: [U i, S A, S B ]. Server S A U i Chooses random pseudonym z, nym i,b,. nym i,a Audit Conversion via Nyms table [U i, S A, S B ] Audit returns Conversion entries for U i Server S B Convert, S A, S B, qid Convert, qid, OK Converter X 21

22 Our Protocol high-level idea of convertible pseudonyms adding (efficient) auditability security against active adversaries

23 High-level Idea Pseudonym Generation Core Idea Generation: X blindly computes nym i,a PRF(k,uid i ) x A pk A,sk A [1] X and U i jointly compute z i OPRF(k,uid i ) k, for each server: x A, x B, x C, Converter X C nym [3] X blindly computes nym i,a C nym C nym xa Server A nym i,a [4] S A decrypts pseudonym nym i,a Dec(sk A,C nym ) nym i,a = PRF(k,uid i ) x A [2] Ui encrypts z i for S A C nym Enc(pk A,z i ) z i C nym uid i 23

24 High-level Idea Pseudonym Conversion Core Idea Generation: X blindly computes nym i,a PRF(k,uid i ) x A Conversion: X blindly computes nym i,b nym i,a xb / xa [1] S A encrypts nym i,a under S B 's key C Enc(pk B, nym i,a ) C, S B, qid Server A pk A,sk A nym i,a Converter X k, for each server: x A, x B, x C, C', S A, qid [2] X blindly transforms encrypted pseudonym C' C Δ with Δ = x B / x A C = Enc(pk B, nym i,a ) x B / xa C ' = Enc(pk B, PRF(k,uid i ) x A ) x B / xa C ' = Enc(pk B, PRF(k,uid i ) x B ) C = Enc(pk B, nym i,b ) Server B pk B,sk B nym i,b [3] S B decrypts converted pseudonym nym i,b Dec(sk B, C ) nym i,b = PRF(k,uid i ) xb 24

25 High-level Idea Overview NymRequest Converter X NymResponse Server A nym i,a Generation Conversion ConvRequest Server A nym i,a Converter X ConvResponse Server B nym i,b 25

26 High-level Idea Adding Auditability usk, upk upk is randomizable encryption key upk RAND(upk) decrypt all audit ciphertexts: info Dec(usk,C*)? NymRequest, upk Converter X NymResponse, upk Server A nym i,a, upk Generation Conversion ConvRequest, upk Server A nym i,a, upk Audit Bulletin Board C* Converter X C* Enc(upk, info) ConvResponse, upk Server B nym i,b, upk 26

27 High-level Idea Adding Efficient Auditability (via Audit Tags) decrypt ciphertext for T A : info Dec(usk,C*) usk, upk, {T A } NymRequest, upk, C T C T Enc(pk A, T A ) for random T A Converter X NymResponse, upk, C T Server A nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A Server A nym i,a, upk, T A Audit Bulletin Board T A, C* Converter X C* Enc(upk, info) ConvResponse, upk Server B nym i,b, upk 27

28 High-level Idea Adding Efficient Auditability (via Audit Tags) usk, upk, {T A, T B } decrypt ciphertext for T A : info Dec(usk,C*) C T Enc(pk A, T A ) for random T A get new audit tags for T A : T B Dec(usk, C* TB ) NymRequest, upk, C T Converter X NymResponse, upk, C T Server A nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A Server A nym i,a, upk, T A Audit Bulletin Board T A, C* Tag Chain: T A, C* TB Converter X C* Enc(upk, info) ConvResponse, upk C* TB Server B nym i,b, upk, T B C*TB Enc(upk, TB) for random TB 28

29 High-level Idea Adding Efficient Auditability (via Audit Tags) usk, upk, {T A, T B, T A, } decrypt ciphertext for T A : info Dec(usk,C*) C T Enc(pk A, T A ) for random T A get new audit tags for T A : T B Dec(usk, C* TB ) T A Dec(usk, C* TA ) NymRequest, upk, C T Converter X NymResponse, upk, C T Server A nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A, C* TA Server A nym i,a, upk, T A Audit Bulletin Board T A, C* Tag Chain: T A, C* TB T A, C* TA Converter X C* Enc(upk, info) ConvResponse, upk C* TB T A C* TA Enc(upk, T A ) for random T A Server B nym i,b, upk, T B C* TB Enc(upk, T B ) for random T B 29

30 High-level Idea Security against Active Adversaries decrypt ciphertext for T A : info Dec(usk,C*) get new audit tags for T A : T B Dec(usk, C* TB ) T A Dec(usk, C* TA ) usk, upk, {T A, T B, T A, } C T Enc(pk A, T A ) for random T A NymRequest, upk, C T Converter X NymResponse, upk, C T Signature scheme for homomorphic encodings Server A nym i,a, upk, T A T A Dec(sk A, C T ) Generation Conversion ConvRequest, upk, T A, C* TA, π A Server A nym i,a, upk, T A Audit Bulletin Board T A, C*, T B, C** Tag Chain: T A, C* TB T A, C* TA Converter X C* Enc(upk, info) ConvResponse, upk C* TB T A C* TA Enc(upk, T A ) for random T A Server B nym i,b, upk, T B C* TB Enc(upk, T B ) for random T B 30

31 (Un)linkable & Auditable Pseudonyms Security & Efficiency Provably secure construction in the Universal Composability (UC) framework based on homomorphic encryption scheme (ElGamal encryption) homomorphic encryption scheme with re-randomizable public keys (ElGamal-based) oblivious pseudorandom function with committed outputs (based on Dodis-Yampolskiy-PRF) signature scheme for homomorphic encoding functions (based on Groth signature scheme) zero-knowledge proofs (Fiat-Shamir NIZKs) commitment scheme (ElGamal based) DDH Secure against actively corrupt users & servers, and honest-but-curious converter (w/o audits even fully corrupt converter [CL15]) Concrete instantiation ~50ms computational time per party for conversion 31

32 Summary Mature privacy-enhancing technologies exist privacy and functionality are not exclusive Linkability crucial for utility, but also weakens privacy Paradigm shift: unlinkability per default, linkability only when necessary Controlled, selective linkability & enforced transparency GDPR creates a great practical demand for privacy-preserving mechanisms data minimisation, consent enforcement, auditability,... Crypto Magic needs education and dissemination! Thanks! Questions? anj@zurich.ibm.com 32