A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim
Introduction Digital certificate –an authorized assertion about a public key –Holder can prove the related ownership by using a corresponding private key –The current PKI: privacy-intrusive Can be linked and traced Pseudonym certificate –Identifiable by a pseudonym only –Digital certificate contains pseudonym as a subject identifier –Can be used in anonymous transaction
Building Blocks PKI RSA Pseudonym Blind signature Threshold cryptography X.509 certificate
Basic Model Anonymous Issuer (AI) Blind Issuer (BI) Issuer (PI) iv... UserCA Site 1Site n... iii ii i
Basic Model – cnt’d I.User U holds a digital certificate issued by CA Using a real identity II.User can access service providers SP s III.SP asks revocation of a certificate to PI PI: pseudonym certificate issuer (AI and BI) IV.AI and BI collaborate to link ID U and PN U ID U : real identity of user U PN U : pseudonym of user U
Traceable Pseudonym Certificates Version 3 SN RSA PI * * * Extensions Version Serial Number Signature Algorithm ID Issuer Name Validity Period Subject Name Subject Public Key Info. Extensions Version 3 SN RSA PI Validity Period PN ppk U, SIG PN Extensions Critical: ( C i ), * Critical: ( C 1, C 2, …, C m ) (a) x.509 v3 Certificate (c) Traceable Pseudonym Certificate (b) Pseudonym Certificate Skeleton
Basic Protocol - I Basic Assumption –CA and PS’s authentic public keys are respectively available. –User U holds a real identity certificate denoted by {ID U, pk U } SIG CA –RSA private exponent d of PI is split by d 2 for AI and d 1 for BI (In case of single BI) AI can control and verify the contents of a pseudonym certificate BI can verify the user’s real identity
Basic Protocol - II 1.U → AI: Skeleton Request Option: U can submit her basic information, so that AI can choose an appropriate BI AI stores certificate skeleton with index SN 2.AI → U: Certificate Skeleton b ← M ← h = H(M) u = h r e, r: random number 3.U → BI: {ID U, pk U } SIG CA,{{u} SIG U, ρ} ENC BI BI verifies {ID U, pk U } SIG CA under pk CA asdf Decrypt {{u} SIG U, ρ} ENC BI verify u under pk U Record Compute w = u d1 mod N
Basic Protocol - III 4.BI → U: {w} ENC AI ρ U decrypts {w} ENC AI under ρ Computes {{M} SIG PN, r, {w} ENC AI } ENC AI 5.U → AI: {{M} SIG PN, r, {w} ENC AI } ENC AI Verify {M} SIG PN under ppk U and compare this with record corresponding SN Compute z = w d 2 mod N Check z r -1 mod N under Record Send z 6.AI → U: z Compute z r -1 mod N to recover h d mod N Verify h d mod N under Traceable pseudonym certificate:
Pseudonym Revocation and Trace SP asks revocation of a certain Pseudonym to AI –Submit the PN U to AI AI retrieve –Recover z and send it to BI BI obtain a real identity ID U –u = z e mod N –From can find ID U Revoke all pseudonyms of a user U’ –BI retrieve all records –Send u d 1 mod N to AI securely –AI raises d 2 to get z and retrieve all pseudonyms of U’
Extended Protocols Threshold Schemes –In case of multiple BI’s –Apply an RSA (L, k)-threshold signature scheme Re-blinding Variants –Disable the tracing ability (e.g., e-voting) Selective Credential Show –User’s digital credential: Flag: 0 – mandatory, 1 – selective h(c i ) : hash value of credential c i –PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1
Conclusion Can be used on existing PKIs without requiring additional crypto modules Fully compatible with X.509 certificates Simple and efficient with versatile privacy-enhancing features Choice from traceability and absolute anonymity Threshold variants for more secure applications
References Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI” D. Chaum, “Security without identification: Transactions systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp X.509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks,” ITU-T Recommendation X.509