Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Similar documents
Chapter 9: Key Management

Lecture Notes 14 : Public-Key Infrastructure

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Certificateless Public Key Cryptography

On the Revocation of U-Prove Tokens

CSE 565 Computer Security Fall 2018

Privacy Privacy Preserving Authentication Schemes: Theory and Applications

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

Direct Anonymous Attestation

Zero Knowledge Protocol

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich

Cryptographic Protocols 1

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Introduction to Cryptography Lecture 10

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

U-Prove Technology Overview

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features

1 Identification protocols

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Digital Cash Systems

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Public-Key Infrastructure NETS E2008

FORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013

Diffie-Hellman. Part 1 Cryptography 136

ENEE 457: E-Cash and Bitcoin

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Lecture 2 Applied Cryptography (Part 2)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

D3.1 Scientific comparison of ABC protocols

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CS3235 Seventh set of lecture slides

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Using Chains for what They re Good For

More crypto and security

User Authentication. Modified By: Dr. Ramzi Saifan

Study Guide for the Final Exam

PROVING WHO YOU ARE TLS & THE PKI

Introduction to Modern Cryptography. Benny Chor

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Digital Multi Signature Schemes Premalatha A Grandhi

ENEE 459-C Computer Security. Security protocols

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

CSE 127: Computer Security Cryptography. Kirill Levchenko

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Unlinkable Attribute-Based Credentials with Practical Revocation on Smart-Cards

Privacy Enhancing Technologies CSE 701 Fall 2017

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Public Key Infrastructures

Chapter 10: Key Management

Digital Certificates Demystified

Homomorphic encryption (whiteboard)

5. Authentication Contents

Digital signatures: How it s done in PDF

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Outline Key Management CS 239 Computer Security February 9, 2004

Attribute-based Credentials on Smart Cards

Structure-Preserving Certificateless Encryption and Its Application

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Public-key Cryptography: Theory and Practice

VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ

Chapter 9 Public Key Cryptography. WANG YANG

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

ENEE 459-C Computer Security. Security protocols (continued)

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

IBM Identity Mixer. Authentication without identification. Introduction Demo Use Cases Features Overview Deployment

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Using Cryptography CMSC 414. October 16, 2017

Cryptographic protocols

CS549: Cryptography and Network Security

CPSC 467b: Cryptography and Computer Security

Security & Privacy. Larry Rudolph. Pervasive Computing MIT SMA 5508 Spring 2006 Larry Rudolph

Crypto meets Web Security: Certificates and SSL/TLS

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptanalysis of a fair anonymity for the tor network

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

ECE 646 Lecture 3. Key management

Deniable Unique Group Authentication CS380S Project Report

Fair exchange and non-repudiation protocols

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS 425 / ECE 428 Distributed Systems Fall 2017

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS November 2018

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Blind Signature Scheme Based on Elliptic Curve Cryptography

An efficient implementation of Monero subaddresses. 1 Introduction. Sarang Noether and Brandon Goodell Monero Research Lab October 3, 2017

Transcription:

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research

Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or verify your address Don t necessarily need to reveal all of your information Don t necessarily want issuer of ID to track all of it s uses How can we get the functionality/verifiability of an physical id in electronic form without extra privacy loss

Credentials: Motivation The goal Users should be able to obtain credentials Show some properties Without Revealing additional information Allowing tracking

Credentials: Motivation Other applications Transit tokens/passes Electronic currency Online polling Implementations Idemix (IBM), UProve (Microsoft)

Credentials Organization Alice Org says Name Alice Address Birthdate Birthplace Citizenship Service Org says Name Alice Address Birthdate Birthplace Citizenship

Credentials Organization Alice Org says Name Alice Address Birthdate Birthplace Citizenship Service Org says Name Alice Address Birthdate Birthplace Citizenship Reveals a lot of info on Alice!

A new model Anonymous Credentials/Minimal Disclosure Tokens *Chaum83, + Organization Alice Cred from Org Name Alice Address Birthdate Birthplace Citizenship Service I have a cred from Org saying WA resident Age >21 Reveals only what Alice chooses to reveal Need not reveal her name (Need Accountability)

A new model Anonymous Credentials/Minimal Disclosure Tokens *Chaum83, + Organization Alice Cred from Org Name Alice Address Birthdate Birthplace Citizenship Service I have a cred from Org saying WA resident Cannot Age >18 Identify Alice (if her name is not provided) Learn anything beyond the info she gives (and what can be inferred) Distinguish two users with the same attributes Link multiple uses of the same credentials

How can we do this? Signatures/Certs? No privacy! What about other crypto tools? We will use Zero Knowledge Proof of knowledge (interactive or Fiat-Shamir) Commitments Blind signatures

Roadmap Review crypto tools Construct basic credential systems Additional issues Revocation Deciding who to revoke Additional features Non-interactive credentials/signatures Delegation Conclusion

Zero Knowledge Proofs Statement X Alice Service Knows X is true X is true OR Alice is cheating Alice wants to convince service that statement X is true, Without revealing any other information

Zero Knowledge Proofs I have signature from Org on message m such that. Alice Service Alice wants to convince service that she has such a signature Without revealing any other information Fiat Shamir: get challenge from hash function X is true OR Alice is cheating

Commitments Like locked box or safe Hiding hard to tell which message is committed to Binding there is a unique message corresponding to each commitment Msg, Msg E.g. Pederson Commitment: C = g m h r

Blind signatures Signing key: sk Message: m Verification key: pk Signature under pk on m Alice learns only signature on her message. Signer learns nothing.

Blind signatures Msg Signing key: sk Message: m Verification key: pk Sign(sk, Msg ) Signature under pk on m Alice learns only signature on her message. Signer learns nothing.

How it works (abstractly) Anonymous Credentials/Minimal Disclosure Tokens Organization secret Prevents impersonation Tie multiple creds to one user Alice Cred from Org Name Alice Address Birthdate Birthplace Citizenship Service I have a cred from Org saying WA resident Age >21

How it works Anonymous Credentials/Minimal Disclosure Tokens Organization secret Alice Signature from Org secret Name Alice Address Birthdate Birthplace Citizenship Need to generate signature without Org learning secret Service Prove I have a cred from Org saying WA resident Age >21

How it works Anonymous Credentials/Minimal Disclosure Tokens Organization secret Alice Signature from Org secret Name Alice Address Birthdate Birthplace Citizenship Service Prove I have sig from Org * @@@, WA #>21 How can we prove this without revealing secret rest of message signature

How it works Anonymous Credentials/Minimal Disclosure Tokens Organization secret Alice Signature from Org secret Name Alice Address Birthdate Birthplace Citizenship Service Zero Knowledge Proof I have sig from Org * @@@, WA #>21 Proof does not reveal secret rest of message signature

Is this practical? Depends on how we implement proofs and blind signatures Two main approaches: RSA type signatures [CL02] Based on strong version of RSA assumption Idemix (IBM) DSA type signatures [Brands 99] Based on discrete logarithm problem (more or less) UProve (Microsoft) Also third type based on elliptic curves with pairings [BCKL08] Less efficient Allows for extra features

Is this practical? Key tool: Proof of knowledge of discrete log Given Y, g, prove I know x such that Y = g x Generalized: Given Y, g, h, prove I know x, z such that Y = g x h z Given Y, W, g, h, prove I know x such that Y = g x and Z = h x Prove arithmetic relationships Prove that values are not equal.. Prove statements about commitments, signatures, encryptions, etc.

Is this practical? I know x such that Y = g x Alice Knows X is true A = g r c z = r + cx Service Check if AY c = g z Alice wants to convince service that she knows x, Without revealing any other information

Is this practical? Key tool: Proof of knowledge of discrete log Given Y, g, prove I know x such that Y = g x Generalized: Given Y, g, h, prove I know x, z such that Y = g x h z Given Y, W, g, h, prove I know x such that Y = g x and Z = h x Prove arithmetic relationships Prove that values are not equal.. Prove statements about commitments, signatures, encryptions, etc.

Roadmap Review crypto tools Construct basic credential systems Additional issues Revocation Deciding who to revoke Additional features Non-interactive credentials/signatures Delegation Conclusion

Credentials Now we have an anonymous credential system. What other issues come up? What about misuse of credentials? If everyone is completely anonymous, how do we deal with misuse of privileges? Can we revoke credentials? Can we even tell whose credential to revoke?

Credential Revocation Expiration dates Can be embedded in anonymous credentials prove that expiration date > current date CRL (Certificate Revocation List) List of all revoked certificates Verifier can check that presented cert is not on list Anonymous CRLs? : How to check that the credential is not on the revoked list without compromising privacy?

Anonymous CRLs Option 1: Verifier gives Alice CRL Alice proves that her credential is not on the list (for each value on the list, prove that her value is different) Option 2: We can do this more concisely using accumulators Issuer publishes accumulator single value that encapsulates all revoked credentials (or all good credentials) Users, given updates to CRL (or list of all good credentials), can give short proof they are not on CRL (or they are on whitelist).

How do we deal with misuse of privileges? (How do we tell who to revoke?) Depends how we define misuse: Simple type: reused one-use token Tried to vote twice in a poll Tried to spend transit token twice More complex scenarios Trust a judge to determine misuse

How do we deal with misuse of privileges? One-Time/Limited Use Credentials Credentials meant to be used only once (or fixed number of times) Subway tokens Electronic currency (e-cash) Movie tickets Access passes for online service Service records serial number on every token used As long as each token is only used once user is anonymous multiple tokens used by the same user are unlinkable If token is used twice, identity of user is revealed. Previous work *Chaum83, CFN90, CHL05, BCKL09+

How do we deal with misuse of privileges? One-Time/Limited Use Credentials Anything digital can be copied! Why can t Alice just copy her credential, and give one copy to Bob and the other to Carol? Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org Id: the identifying info for the user T: the slope of a line with f(0)=id When cred is used it includes (R, D): R: transaction information (station name, timestamp, etc) D: Doublespending tag (f(r)). (R, D)» (R,D) and (R,D ) gives Id (0,Id)

How do we deal with misuse of privileges? One-Time/Limited Use Credentials Anything digital can be copied! Why can t Alice just copy her credential, and give one copy to Bob and the other to Carol? Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org Id: the identifying info for the user T: the slope of a line with f(0)=id When cred is used it includes (R, D): R: transaction information (station name, timestamp, etc) D: Doublespending tag (f(r)). (R, D) (R, D )» (R,D) and (R,D ) gives Id (0,Id)

How do we deal with misuse of privileges? One-Time/Limited Use Credentials Anything digital can be copied! Why can t Alice just copy her credential, and give one copy to Bob and the other to Carol? Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org Id: the identifying info for the user T: the slope of a line with f(0)=id When cred is used it includes (R, D): R: transaction information (station name, timestamp, etc) D: Doublespending tag (f(r)). (R, D) (R, D )» (R,D) and (R,D ) gives Id (0,Id)

How do we deal with misuse of privileges? One-Time/Limited Use Credentials Anything digital can be copied! Why can t Alice just copy her credential, and give one copy to Bob and the other to Carol? Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org Id: the identifying info for the user T: the slope of a line with f(0)=id When cred is used it includes (R, D): R: transaction information (station name, timestamp, etc) D: Doublespending tag (f(r)). (R, D) (R, D ) (0,Id)» (R,D) and (R,D ) gives Id (0,Id)

How do we deal with misuse of privileges? More complex scenarios Trusted judge (anonymity revocation authority) Alice also sends encryption of her identity under judge s public key (Identity escrow) In case of misuse, Service gives encryption to judge If judge agrees credential was misused, it can decrypt and find Alice s identity Disadvantage: users have no anonymity w.r.t. revocation authority Judge must be trusted Advantage: very flexible Techniques: Verifiable encryption

Roadmap Review crypto tools Construct basic credential systems Additional issues Revocation Deciding who to revoke Additional features Non-interactive credentials/signatures Delegation Conclusion

Other Features Log of all valid users and their credentials? Post an anonymous message with proof of a credential? Non-interactive credentials (Signatures) Challenge: proof needs to be one message Non interactive Zero Knowledge proof Fiat-Shamir (using hash as challenge) Or recent proof techniques based on special elliptic curves

Delegation Webmaster Forum Moderator Cred from Webmaster Moderator Alice Cred from Moderator who has cred from Webmaster Registered User I have a level 2 cred from Webmaster saying Registered user Forum Moderator and Alice should remain anonymous

Delegation Webmaster Forum Moderator Cred from Webmaster Moderator Alice Cred from Moderator who has cred from Webmaster Registered User I have a level 2 cred from Webmaster saying Registered user Forum Moderator and Alice should remain anonymous

Delegation Webmaster Forum Moderator Cred from Webmaster Moderator Alice Cred from Moderator who has cred from Webmaster Registered User I have a level 2 cred from Webmaster saying Registered user Forum Moderator and Alice should remain anonymous

Delegation Webmaster Forum Moderator Sig from Webmaster secret Bob Moderator Alice Sig from Bob secret Alice Registered User Proof of Bob has a sig from Webmaster saying Moderator Proof of I have a sig from Bob saying Registered User Proof of Bob has a sig from Webmaster saying Moderator If Alice uses the same proof each time, service will know

Randomizable proofs Forum Moderator Can we do this? Alice Proof of Bob has a sig from Webmaster saying Moderator Not clear with traditional techniques Need proofs with special properties New Proof of Bob has a sig from Webmaster saying Moderator

Delegating Credentials Randomizable proof system Elliptic curve with pairings based proofs [GOS06,GS08] satisfy this property Delegatable Anonymous Credentials [BCCKLS09] Requires some additional techniques In progress: delegatable one-time credentials (i.e. transferrable e-cash) [CCKR]

Roadmap Review crypto tools Construct basic credential systems Additional issues Revocation Deciding who to revoke Additional features Non-interactive credentials/signatures Delegation Conclusion

Other issues How do you tie a digital credential to a real world person/identity? Harder when you add anonymity Circular encryption, smart card, POK of credit card number Safety in numbers: What if the issuer only ever issues one credential? Even with anonymous credentials, if yours is the only credential issued, issuer will know when you show it Adoption will anyone ever use this? Do people care enough about privacy?

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback