Self-Blindable Credential Certificates from the Weil Pairing Eric R. Verheul April 9, 2004 SCLab Jinhae Kim

Introduction I What is pseudonym ? –A unique identifier by which a user is known by a certain party. Same user, different pseudonym. A pseudonymous certificate binds a user’s pseudonym to his public key. A credential is a trust provider’s statement about the user. –Example: “lives in MN”, “has a PhD in CS” –single-use/multiple-use

Introduction II Credential pseudonymous certificates (CPCs) –Digital certificates that bind credentials to users. In Chaum’s 1 model –Pseudonyms are unlinkable. parties that know a user by different pseudonyms must not have the ability to combine their logs. –CPCs must be translatable. CPC A : “ p1 is in good health.” A is issued by Dr. Yongdae under p1. Jinhae (owner of p1 ) presents A to insurance company under p2. 1.D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, 1985

Security Requirement Protection against pseudonym/credential forgery. Protection against pseudonym/credential sharing. –smartcard based passports –better solution: all-or-nothing –Problems? Revocation of pseudonymous certificates and credentials.

Building Blocks I Diffie-Hellman (DH) problem –generator g of a group G of (prime) order q. –DH g (g x, g y ) = g xy Decision Diffie-Hellman (DDH) problem –given a, b, c  G decide whether c = DH g (a, b) –An alternative formulation of DDH: given g, g x, h, h y in group G decide whether x = y. h y = DH g (g x, h) (suppose h = g a, then g ay = g ax ) Group in which the DDH problem is simple and DH, DL are hard.

Building Blocks II Elliptic Curve Cryptography 1 (ECC) –EC can provide versions of PK methods –In some case, EC is faster and use smaller key. –Addition in EC is same as multiplication in Z p * Zp*Zp* Multiplication ( ab = c (mod p ))Exponentiation ( a b = c (mod p )) ECAddition ( X + Y = Z )Multiplication ( αX = Y ) ref) a, b, c  Z p * X, Y are points on an elliptic curve and α is constant. 1. David Jablon, Elliptic Curve Cryptography,

Building Block III DDH in ECC – is a group of (prime) order q on the curve. –A, B, C is an instance of the DDH problem with respect to P. –C = DH P (A, B) iff e q (A, D(B)) = e q (P, D(C)) –D(.) is the distortion map, and e q (.,.) is the Weil pairing. Bilinear Map –B(g x, g y ) = B(g, g) xy ( = B(g, g xy ) ) (DDH is solved!) –In ECC: B(aP, bP) = ab B(P, P) ( = B(P, abP) )

The ‘Proofless’ Variant of the Chaum-Pedersen Scheme 1 A group, G, of prime order q, with generator g. –the DDH problem is simple, while the DL and the DH problems are practically intractable. the Chaum-Pedersen scheme –The public key is y = g x, where 0 ≤ x < q. –A signature on a message m ∈ G z = m x (plus a proof that log g ( y ) = log m ( z )). Can verify log g ( y ) = log m ( z ) iff z = DH g ( m, y ). 1.D. Chaum, T.P. Pedersen, Wallet Databases with Observers, Proceedings of Crypto’92

The variant of C-P scheme II Signature z = m x is self-blindable. –Without knowing of the signing key x, one can make another signature z k = (m k ) x. Easy blinding property. –Message (typically a hash), M –public key of signing party g x –Ask to sign M r, for 0 ≤ r < q, resulting in M rx.

Self-blindable Certificates Terminology for Self-blindable certificates –U : collection of all possible public keys. –T : collection of all verification public keys of TP. –C : collection of all possible certificates. –Credential on a user public key P U ∈ U {P U, Sig(P U, S T )}, S T is private signing key of TP. Accompanied by a higher-level certificate –Cert(P U, “Trust statement” ) Standard X.509 certificate with the “Trust statement” in one of its extension field.

Self-blindable Certificates II The certificates are called self-blindable, if: –There exists a set transformation factor space F. –An efficiently computable transformation map D: C × F → C Properties 1.For any certificate C ∈ C and f ∈ F the certificate D(C, f) is signed with the same trust provider public key as C. 2.Let C1, C2 be certificates and f ∈ F known. If C2 = D(C1, f) then one can efficiently compute a transformation factor f΄ ∈ F such that C1 = D(C2, f ΄ ). 3.If C1, C2 ∈ C are two different certificates on the same user public key, then so are D(C1, f) and D(C2, f). 4.Let P U is user public key, f ∈ F is known. Then, a user possesses the private key of P U iff it possesses the private key of D(P U, f). 5.If the user’s public key P U ∈ U is fixed and if f ∈ F is a uniformly random element in F, then D(P U, f) is a uniformly random element in U.

CPC System pseudonymous credential –{P U, [Sig(P U, S N ), Cert(P N, “ PP statement ”)]} P U : the public key of the user. Sig(P U, S N ) : a signature of the pseudonym provider (PP). Cert(P N, “ PP statement ”) : a (conventional) certificate on the public verification key of the PP. –With a statement on its applicability included among the usual fields (e.g., expiration date). –The pseudonym of a user is in fact the user’s public key in its certificate.

CPC System II Generation of a new Pseudonymous certificate. –By choosing a (random) factor and transforming an initially issued pseudonymous certificate. –Credential Pseudonymous Certificate Based on Pseudonymous Credential { P U, [Sig(P U, S N ), Cert(P N, “ PP statement ”)], [Sig(P U, S C ), Cert(P C, “ CP statement ”)]+}. 2nd line: credential field. –Sig(P U, S C ) : A signature of the credential provider (CP). –In CP statement: a statement on its credential applicability (e.g., “is over 18 years old”).

Overview of System Description

High-level System Description Initial Registration. –The user registers, typically in a non-anonymous fashion, with a pseudonym provider. –After registration a First Pseudonymous Certificate (FPC) is issued. –The pseudonym provider puts the FPC in a public directory. –When unique pseudonyms are required, the provider has the option to maintain a private list of physical persons that were issued a pseudonymous certificate.

System Description II Credential Issuance. –Transforms its FPC into a random pseudonymous certificates (RPC) by using a random transformation factor. –Registers with a CP using this RPC which includes a proof of possession of the private key. –This registration need not be anonymous. The user does what is required to obtain a credential (e.g., takes a driver’s exam, shows other credentials). –Up-on succeeding, the user is issued a credential on the RPC, that is the CPC. –The pseudonym provider has the option to put the CPC in a public directory.

System Description III Credential Use. –The user registers (typically anonymously) with a service provider using a new RPC. If I can make an RPC with my FPC, how about others? –The user combines all of the CPCs relating to credentials required by the SP into one CPC under the registered pseudonym. The second invert transformation property on the transformation factors related with the individual, original CPCs. A CPC is first translated to the First Pseudonym and then translated to the registered pseudonym. This certificate is presented to the SP, together with a proof of possession of the private key referenced in this CPC.

System Description IV Credential Use II –Double spend checking SP has the option to require that the user contact a specific trust provider ( unicity provider ). The user sends this trust provider the transformation factor(s), transforming the new RPC to the FPC. The trust provider validates that these factor(s) transform the RPC into a FPC on the PP’s directory, and that this FPC was not registered before. - problems? Note 1: PP directory does not specify user identities, only FPCs, Note 2: the specific trust provider need not be the user’s pseudonym provider.

System Description V TP can link two different pseudonyms of a user. –During registration, PP and the user ( U ) exchange a secret, S. –If a trust provider ( T ) wants to provide assurance on unique pseudonyms, then PP is provided a list consisting of transformed FPCs, in such a way that: U ’s FPC is transformed using a transformation factor f : –f = H (T, S) ( H : secure hash function) the order of the FPCs is randomly permuted.

Revocation of Certificate Bases 1 st Method: Pro-active –Let the trust providers employ signing keys with a short expiration time (e.g., a week). –If a pseudonymous certificate/credential has not been revoked, then the trust provider automatically updates the certificates/credentials in its directory with newly signed ones. –A user can collect the updated pseudonymous certificates/credentials, preferably via an anonymous channel.

Revocation II 2 nd Method: using the flexible secret sharing technique –To trust provider, send along specific transformation factors with a (credential) pseudonymous certificate. –TP can retrieve the original issued (credential) pseudonymous certificates and find out if they have been revoked. –The trust provider then provides a statement on the status of the (credential) pseudonymous certificate to the service provider. –The service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC.

A Simple Construction for CPCs G = be a group of prime order q The set T of all trust provider’s public keys takes the form j, j s ( 0 ≤ s < q ; private key). U consists of elements of the form g x. ( 0 < x < q ; user’s private keys). A certificate issued by a trust provider with public key h, h z on a user public key g x : –{ g x, g xz }. The transformation D: C × F → C –({ X, Y }, f ) → { X f, Y f } the certificate { g x, g xz } is transformed to the certificate { g xf, g xfz } under factor f.

A Simple Construction II 1.The user registers, typically in a non-anonymous fashion, with a pseudonym provider. 2.The PP generates a random 0 < x < q –forms the user public key g x and the certificate { g x, g xz }. –All information is put on a tamper resistant signing device. –Private key information of (transformed) certificates can be used but not retrieved. 3.The secure signing device is handed over to the user in a secure fashion.

A more robust construction G = be a group of prime order q There exists embedding E(.) from G into a group G ΄ where all three problems are practically intractable. The set T of all trust provider’s public keys takes the form j, j s ( 0 ≤ s < q ; private key). PP publishes a certified pair ( r, s ) = ( r, r f ) –r, s ∈ G, 0 < f < q unknown by all parties. U consists of elements of the form g 1, g 2, g 1 x1, g 2 x2. –0 < x 1, x 2 < q, –g 1 is random generator and log g1 ( g 2 ) = f

A more robust construction II The certificate with public key h, h z on a user’s public key g 1, g 2, g 1 x1 g 2 x2 : –{ g 1, g 2, g 1 x1 g 2 x2, ( g 1 x1 g 2 x2 ) z }. The transformation D: C × F → C –({ X, Y, W, Z }, ( k, l) ) → { X l, Y l, W kl, Z kl } the certificate { g 1, g 2, g 1 x1 g 2 x2, ( g 1 x1 g 2 x2 ) z } is transformed to the certificate { g 1 l, g 2 l, g 1 x1kl g 2 x2kl, ( g 1 x1kl g 2 x2kl ) z } under factor ( k, l ).

A more robust construction III 1.The user registers, typically in a non-anonymous fashion, with a PP. 2.PP generates a random pair ( g 1, g 2 ) –g 2 = g 1 f (random power of the elements r, s ). –The pair ( g 1, g 2 ) is sent to the user or a smart card issuer. 3.The user generates a random private key 0 ≤ x < q and forms g 2 x. –Sends g 2 x and proves possession of the private key x 4.PP forms the public key g 1, g 2, g 1 g 2 x –Places a Chaum-Pedersen signature on it, i.e., ( g 1 g 2 x ) z. –Employs the embedding E : G → G ΄ –Determines the elements E ( g 2 ), E ( g 2 x ) of the group G ΄. –Determines a random power r of these elements, i.e., E ( g 2 ) r, E ( g 2 x ) r. –Forms a conventional non-repudiation certificate on ( E ( g 2 ) r, E ( g 2 x ) r ). –The first pseudonymous certificate and the non-repudiation certificate are issued to the user. Both are also stored in separate directories.

A more robust construction IV The characteristic of embedding E (.) –Homomorphism: The signing key of E ( g 2 x ) r is x. –One-way function: Hard to get g 2 r, g 2 xr from E ( g 2 ) r, E ( g 2 x ) r. It would be impossible to relate E ( g 2 ), E ( g 2 x ) (deducible from FPC) to E ( g 2 ) r, E ( g 2 x ) r (deducible from the non-repudiation certificate). (DDH is hard in G ΄)

Protection against Pseudonym/credential forgery Based on an all-or-nothing concept. The private key in a transformed credential takes the form ( k, k · x mod q ) for some 0 < k < q. Dividing the second part by the first part yields the user’s non-repudiation key x. If the user transfers a credential, then it also transfers a copy of its non-repudiation signing key.

Conclusion Anonymity without the need for a trusted third party. This system is based on a new paradigm, self-blindable certificates Certificates were constructed using the Weil pairing in supersingular elliptic curves A robust system provides cryptographic protection against the forgery and transfer of credentials