Anonymous Credentials Gergely Alpár Collis – November 24, 2011

November 24, (Collis)G. Alpár: Anonymous credentials2 Crypt assumptions

November 24, (Collis)G. Alpár: Anonymous credentials3 Crypt assumptions

November 24, (Collis)G. Alpár: Anonymous credentials4 My assumptions Modular computation: addition, multiplication Public-key cryptography (PKI) Cryptographic hash function Concatenation

November 24, (Collis)G. Alpár: Anonymous credentials5 Overview Zero-knowledge proof of knowledge Credentials Discrete logarithm preliminaries U-Prove RSA preliminaries Idemix Comparison

November 24, (Collis)G. Alpár: Anonymous credentials6 Zero-knowledge proofs

November 24, (Collis)G. Alpár: Anonymous credentials7 Current practice I know the password! I don’t believe you. It’s wachtw0ord2011 Yes, indeed.

November 24, (Collis)G. Alpár: Anonymous credentials8 Zero-knowledge proof I know the secret! I don’t believe you. I can prove it. I'll believe it when I see it. No, I don’t show it, but I’ll convince you that I know it. A hard problem

November 24, (Collis)G. Alpár: Anonymous credentials9 Waldo and ZK

November 24, (Collis)G. Alpár: Anonymous credentials10 Where’s Waldo? Source: findwaldo.com // The Gobbling Gluttons Idea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999

November 24, (Collis)G. Alpár: Anonymous credentials11

November 24, (Collis)G. Alpár: Anonymous credentials12

November 24, (Collis)G. Alpár: Anonymous credentials13

November 24, (Collis)G. Alpár: Anonymous credentials14

November 24, (Collis)G. Alpár: Anonymous credentials15 ZK – Ali baba’s cave

November 24, (Collis)G. Alpár: Anonymous credentials16 Credentials

November 24, (Collis)G. Alpár: Anonymous credentials17 Credential flow

November 24, (Collis)G. Alpár: Anonymous credentials18 Anonymity requirements Untraceability Multi-show unlinkability Selective disclosure Attribute property proof Revocation by user Revocation by issuer Age > 18 Valid

November 24, (Collis)G. Alpár: Anonymous credentials19 High-level approaches Every time: issuing before showing (U-Prove, 1999) – Untraceability Showing with zero-knowledge proof (Idemix, 2001) – Untraceability and unlinkability Randomize (self-blindable, 2001) – Unlinkability and untraceability

November 24, (Collis)G. Alpár: Anonymous credentials20 History of anonymous credentials : Public-key crypto (Diffie & Hellman) 1978: RSA 1981: Digital pseudonym (Chaum) 1985: Zero- knowledge proof (GMR) 1986: Non-interactive ZK (Fiat & Shamir) : Schnorr identification and signature 1999: U-Prove crypto (Brands) 2001: Idemix crypto (Camenisch & Lysyanskaya) 2002: Idemix JAVA implementation 2009: Light-weight Idemix impl. (IBM) 2010: Microsoft’s U-Prove impl : ABC4Trust (IBM & MS)

November 24, (Collis)G. Alpár: Anonymous credentials21 Discrete logarithm – preliminaries

November 24, (Collis)G. Alpár: Anonymous credentials22 Modular computation mod n axax log a x = 14 mod = 343 = log 7 14 = 3 mod 47

November 24, (Collis)G. Alpár: Anonymous credentials x mod 53 x Modular exponentiation 10 13

November 24, (Collis)G. Alpár: Anonymous credentials24 log = ? mod x mod 53 x Discrete logarithm (p = 53, q = 13)

November 24, (Collis)G. Alpár: Anonymous credentials25 Discrete logarithm (p = 389, q =97) 13 x mod 389 x log = ? mod 389

November 24, (Collis)G. Alpár: Anonymous credentials26 p ~ , q ~ = (mod ) g b = h (mod p) where the order of g is q

November 24, (Collis)G. Alpár: Anonymous credentials27 Efficiently computable Random numbers – 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8, 8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9 Modular addition and multiplication – a. b + c (mod n) Modular exponentiation – 3 26 = 3 (11010) = = 3 (mod 11) 3 2 = 9 mod = (((9) 2 ) 2 mod 11 = 5 mod = 5 2 mod 11 = 3 mod 11

November 24, (Collis)G. Alpár: Anonymous credentials28 ZK as a basic building block Zero-knowledge (ZK) proof of knowledge Schnorr identification Schnorr signature U-Prove issuance Blind signature U-Prove showing

November 24, (Collis)G. Alpár: Anonymous credentials29 U-Prove

November 24, (Collis)G. Alpár: Anonymous credentials30 Crypt assumptions Discrete logarithm assumption

November 24, (Collis)G. Alpár: Anonymous credentials31 Schnorr identification Complete (P: “If I know, I can convince you.”) Sound (V: “If you don’t know, you cannot convince me.”) Zero-knowledge

November 24, (Collis)G. Alpár: Anonymous credentials32 From outside

November 24, (Collis)G. Alpár: Anonymous credentials33 Simulation  Zero-knowledgeness Real communicationSimulated communication

November 24, (Collis)G. Alpár: Anonymous credentials34 Schnorr identification

November 24, (Collis)G. Alpár: Anonymous credentials35 Schnorr identification

November 24, (Collis)G. Alpár: Anonymous credentials36 Non-interactive Schnorr (Fiat—Shamir)

November 24, (Collis)G. Alpár: Anonymous credentials37 Schnorr signature (freshness)

November 24, (Collis)G. Alpár: Anonymous credentials38 Schnorr signature

November 24, (Collis)G. Alpár: Anonymous credentials39 Schnorr blind signature

November 24, (Collis)G. Alpár: Anonymous credentials40 Schnorr blind signature

November 24, (Collis)G. Alpár: Anonymous credentials41 Credential flow Issuing Showing

November 24, (Collis)G. Alpár: Anonymous credentials42 DL representation

November 24, (Collis)G. Alpár: Anonymous credentials43 Brands’ issuing protocol (U-Prove)

November 24, (Collis)G. Alpár: Anonymous credentials44 Brands’ showing protocol (U-Prove)

November 24, (Collis)G. Alpár: Anonymous credentials45 Certain attributes are revealed Others are proven in the token but remaining hidden R Selective disclosure (U-Prove)

November 24, (Collis)G. Alpár: Anonymous credentials46 Selective disclosure (U-Prove)

November 24, (Collis)G. Alpár: Anonymous credentials47 RSA – preliminaries

November 24, (Collis)G. Alpár: Anonymous credentials48 Crypt assumptions Integer factorization is hard

November 24, (Collis)G. Alpár: Anonymous credentials49 RSA signature – recap

November 24, (Collis)G. Alpár: Anonymous credentials50 Strong RSA assumption Integer factorization np, q RSA problem c, em Strong RSA problem cm, e c = m e (mod n)

November 24, (Collis)G. Alpár: Anonymous credentials51 Idemix – selective disclosure

November 24, (Collis)G. Alpár: Anonymous credentials52 Camenisch—Lysyanskaya signature

November 24, (Collis)G. Alpár: Anonymous credentials53 Idemix issuing protocol (CL) * * without intervals Plus: freshness with nonces!  SPKs

November 24, (Collis)G. Alpár: Anonymous credentials54 Randomized CL-signature

November 24, (Collis)G. Alpár: Anonymous credentials55 Idemix showing protocol * * without intervalsPlus: freshness with a nonce!  SPK

November 24, (Collis)G. Alpár: Anonymous credentials56 CL showing: selective disclosure * * without intervals Plus: freshness with a nonce!  SPK

November 24, (Collis)G. Alpár: Anonymous credentials57 U-Prove vs. Idemix

November 24, (Collis)G. Alpár: Anonymous credentials58 Comparison of functionalities

November 24, (Collis)G. Alpár: Anonymous credentials59 Performance (client)

November 24, (Collis)G. Alpár: Anonymous credentials60 U-Prove selective disclosure W. Mostowski, P. Vullers: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards

November 24, (Collis)G. Alpár: Anonymous credentials61 Future of anonymous credentials… ABC4Trust NSTIC (discussion by Francisco Corella) W3C Identity in the browser

November 24, (Collis)G. Alpár: Anonymous credentials62 Questions? Gergely Alpar