Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research.

Published byGrant Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research."— Presentation transcript:

1 Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research

2 Credentials: Motivation ID cards – Sometimes used for other uses E.g. prove you’re over 21, or verify your address – Don’t necessarily need to reveal all of your information – Don’t necessarily want issuer of ID to track all of it’s uses – How can we get the functionality/verifiability of an physical id in electronic form without extra privacy loss

3 The goal – Users should be able to obtain credentials Show some properties – Without Revealing additional information Allowing tracking Credentials: Motivation

4 Other applications – Transit tokens/passes – Electronic currency – Online polling Implementations – Idemix (IBM), UProve (Microsoft) Credentials: Motivation

5 Credentials Alice Organization Org says Name Alice Address Birthdate Birthplace Citizenship … Service Org says Name Alice Address Birthdate Birthplace Citizenship …

6 Org says Name Alice Address Birthdate Birthplace Citizenship … Credentials Alice Organization Service Reveals a lot of info on Alice! Org says Name Alice Address Birthdate Birthplace Citizenship …

7 Alice Organization Service “I have a cred from Org saying WA resident Age >21” Cred from Org Name Alice Address Birthdate Birthplace Citizenship … A new model Anonymous Credentials/Minimal Disclosure Tokens [Chaum83, …] Reveals only what Alice chooses to reveal Need not reveal her name (Need Accountability)

8 Alice Service “I have a cred from Org saying WA resident Age >18” Cred from Org Name Alice Address Birthdate Birthplace Citizenship … Organization A new model Anonymous Credentials/Minimal Disclosure Tokens [Chaum83, …] Cannot Identify Alice (if her name is not provided) Learn anything beyond the info she gives (and what can be inferred) Distinguish two users with the same attributes Link multiple uses of the same credentials

9 How can we do this? Signatures/Certs? – No privacy! What about other crypto tools? We will use – Zero Knowledge Proof of knowledge (interactive or Fiat-Shamir) – Commitments – Blind signatures

10 Roadmap Review crypto tools Construct basic credential systems Additional issues – Revocation – Deciding who to revoke Additional features – Non-interactive credentials/signatures – Delegation Conclusion

11 Zero Knowledge Proofs Alice Service Alice wants to convince service that statement X is true, Without revealing any other information Statement X X is true OR Alice is cheating Knows X is true

12 Zero Knowledge Proofs AliceService Alice wants to convince service that she has such a signature Without revealing any other information “I have signature from Org on message m such that …. X is true OR Alice is cheating Fiat Shamir: get challenge from hash function

13 Commitments Like locked box or safe Hiding – hard to tell which message is committed to Binding – there is a unique message corresponding to each commitment Msg, Msg E.g. Pederson Commitment: C = g m h r

14 Blind signatures Alice learns only signature on her message. Signer learns nothing. Signature under pk on m Signing key: sk Message: m Verification key: pk

15 Blind signatures Alice learns only signature on her message. Signer learns nothing. Signature under pk on m Signing key: sk Message: m Verification key: pk Msg Sign(sk, )

16 How it works (abstractly) Anonymous Credentials/Minimal Disclosure Tokens Alice Organization Service “I have a cred from Org saying WA resident Age >21” Cred from Org Name Alice Address Birthdate Birthplace Citizenship … secret Prevents impersonation Tie multiple creds to one user Prevents impersonation Tie multiple creds to one user

17 Alice Organization Service Prove “I have a cred from Org saying WA resident Age >21” Signature from Org secret Name Alice Address Birthdate Birthplace Citizenship … secret Need to generate signature without Org learning secret How it works Anonymous Credentials/Minimal Disclosure Tokens

18 How can we “prove” this without revealing secret rest of message signature Alice Organization Service Prove “I have sig from Org * @@@, WA #>21 Signature from Org secret Name Alice Address Birthdate Birthplace Citizenship … secret How it works Anonymous Credentials/Minimal Disclosure Tokens

19 Alice Organization Service Zero Knowledge Proof “I have sig from Org * @@@, WA #>21 Signature from Org secret Name Alice Address Birthdate Birthplace Citizenship … secret Proof does not reveal secret rest of message signature

20 Is this practical? Depends on how we implement proofs and blind signatures Two main approaches: – RSA type signatures [CL02] Based on strong version of RSA assumption Idemix (IBM) – DSA type signatures [Brands 99] Based on discrete logarithm problem (more or less) UProve (Microsoft) – Also third type based on elliptic curves with pairings [BCKL08] Less efficient Allows for extra features

21 Key tool: Proof of knowledge of discrete log – Given Y, g, prove “I know x such that Y = g x ” – Generalized: Given Y, g, h, prove “I know x, z such that Y = g x h z” Given Y, W, g, h, prove “I know x such that Y = g x and Z = h x” Prove arithmetic relationships Prove that values are not equal ….. – Prove statements about commitments, signatures, encryptions, etc. Is this practical?

22 Alice Service Alice wants to convince service that she knows x, Without revealing any other information I know x such that Y = g x Check if AY c = g z Knows X is true Is this practical? A = g r c z = r + cx

23 Key tool: Proof of knowledge of discrete log – Given Y, g, prove “I know x such that Y = g x ” – Generalized: Given Y, g, h, prove “I know x, z such that Y = g x h z” Given Y, W, g, h, prove “I know x such that Y = g x and Z = h x” Prove arithmetic relationships Prove that values are not equal ….. – Prove statements about commitments, signatures, encryptions, etc. Is this practical?

24 Roadmap Review crypto tools Construct basic credential systems Additional issues – Revocation – Deciding who to revoke Additional features – Non-interactive credentials/signatures – Delegation Conclusion

25 Credentials Now we have an anonymous credential system. What other issues come up? What about misuse of credentials? – If everyone is completely anonymous, how do we deal with misuse of privileges? – Can we revoke credentials? – Can we even tell whose credential to revoke?

26 Credential Revocation Expiration dates – Can be embedded in anonymous credentials – prove that expiration date > current date CRL (Certificate Revocation List) – List of all revoked certificates – Verifier can check that presented cert is not on list – Anonymous CRLs? : How to check that the credential is not on the revoked list without compromising privacy?

27 Anonymous CRLs Option 1: – Verifier gives Alice CRL – Alice proves that her credential is not on the list (for each value on the list, prove that her value is different) Option 2: – We can do this more concisely using accumulators – Issuer publishes accumulator – single value that encapsulates all revoked credentials (or all good credentials) – Users, given updates to CRL (or list of all good credentials), can give short proof they are not on CRL (or they are on whitelist).

28 How do we deal with misuse of privileges? (How do we tell who to revoke?) Depends how we define misuse: – Simple type: reused one-use token Tried to vote twice in a poll Tried to spend transit token twice – More complex scenarios Trust a judge to determine misuse

29 Credentials meant to be used only once (or fixed number of times) – Subway tokens – Electronic currency (e-cash) – Movie tickets – Access passes for online service Service records “serial number” on every token used As long as each token is only used once – user is anonymous – multiple tokens used by the same user are unlinkable If token is used twice, identity of user is revealed. Previous work [Chaum83, CFN90,… CHL05,… BCKL09] How do we deal with misuse of privileges? One-Time/Limited Use Credentials

30 Anything digital can be copied! Why can’t Alice just copy her credential, and give one copy to Bob and the other to Carol? – Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org – Id: the identifying info for the user – T: the slope of a line with f(0)=Id When cred is used it includes (R, D): – R: transaction information (station name, timestamp, etc) – D: Doublespending tag (f(R)). » (R,D) and (R’,D’) gives Id (0,Id) (R, D) How do we deal with misuse of privileges? One-Time/Limited Use Credentials

31 Anything digital can be copied! Why can’t Alice just copy her credential, and give one copy to Bob and the other to Carol? – Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org – Id: the identifying info for the user – T: the slope of a line with f(0)=Id When cred is used it includes (R, D): – R: transaction information (station name, timestamp, etc) – D: Doublespending tag (f(R)). » (R,D) and (R’,D’) gives Id (R’, D’) (0,Id) (R, D) How do we deal with misuse of privileges? One-Time/Limited Use Credentials

32 Anything digital can be copied! Why can’t Alice just copy her credential, and give one copy to Bob and the other to Carol? – Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org – Id: the identifying info for the user – T: the slope of a line with f(0)=Id When cred is used it includes (R, D): – R: transaction information (station name, timestamp, etc) – D: Doublespending tag (f(R)). » (R,D) and (R’,D’) gives Id (R’, D’) (0,Id) (R, D) How do we deal with misuse of privileges? One-Time/Limited Use Credentials

33 Anything digital can be copied! Why can’t Alice just copy her credential, and give one copy to Bob and the other to Carol? – Efficient Solution: offline e-cash [CFN90] Cred includes (T, Id) unknown to Org – Id: the identifying info for the user – T: the slope of a line with f(0)=Id When cred is used it includes (R, D): – R: transaction information (station name, timestamp, etc) – D: Doublespending tag (f(R)). » (R,D) and (R’,D’) gives Id (R’, D’) (0,Id) (R, D) (0,Id) How do we deal with misuse of privileges? One-Time/Limited Use Credentials

34 Trusted judge (anonymity revocation authority) – Alice also sends encryption of her identity under judge’s public key (Identity escrow) – In case of misuse, Service gives encryption to judge If judge agrees credential was misused, it can decrypt and find Alice’s identity Disadvantage: users have no anonymity w.r.t. revocation authority Judge must be trusted Advantage: very flexible Techniques: Verifiable encryption How do we deal with misuse of privileges? More complex scenarios

35 Roadmap Review crypto tools Construct basic credential systems Additional issues – Revocation – Deciding who to revoke Additional features – Non-interactive credentials/signatures – Delegation Conclusion

36 Other Features Log of all valid users and their credentials? Post an anonymous message with proof of a credential? Non-interactive credentials (Signatures) – Challenge: proof needs to be one message – Non interactive Zero Knowledge proof Fiat-Shamir (using hash as challenge) Or recent proof techniques based on special elliptic curves

37 Cred from Webmaster Moderator Delegation Alice “I have a level 2 cred from Webmaster saying Registered user” Cred from Moderator who has cred from Webmaster Registered User Forum Moderator Forum Moderator and Alice should remain anonymous Webmaster

38 Cred from Webmaster Moderator Delegation Alice “I have a level 2 cred from Webmaster saying Registered user” Cred from Moderator who has cred from Webmaster Registered User Webmaster Forum Moderator Forum Moderator and Alice should remain anonymous

39 Cred from Webmaster Moderator Delegation Alice “I have a level 2 cred from Webmaster saying Registered user” Cred from Moderator who has cred from Webmaster Registered User Forum Moderator Forum Moderator and Alice should remain anonymous Webmaster

40 Delegation Alice Sig from Bob secret Alice Registered User Sig from Webmaster secret Bob Moderator Proof of “Bob has a sig from Webmaster saying Moderator” Proof of “I have a sig from Bob saying Registered User” Proof of “Bob has a sig from Webmaster saying Moderator” If Alice uses the same proof each time, service will know Webmaster Forum Moderator

41 Can we do this? – Not clear with traditional techniques – Need proofs with special properties Randomizable proofs Alice Forum ModeratorProof of “Bob has a sig from Webmaster saying Moderator” New Proof of “Bob has a sig from Webmaster saying Moderator”

42 Delegating Credentials Randomizable proof system – Elliptic curve with pairings based proofs [GOS06,GS08] satisfy this property Delegatable Anonymous Credentials [BCCKLS09] – Requires some additional techniques In progress: delegatable one-time credentials (i.e. transferrable e-cash) [CCKR]

43 Roadmap Review crypto tools Construct basic credential systems Additional issues – Revocation – Deciding who to revoke Additional features – Non-interactive credentials/signatures – Delegation Conclusion

44 Other issues How do you tie a digital credential to a real world person/identity? – Harder when you add anonymity – Circular encryption, smart card, POK of credit card number Safety in numbers: – What if the issuer only ever issues one credential? Even with anonymous credentials, if yours is the only credential issued, issuer will know when you show it Adoption – will anyone ever use this? – Do people care enough about privacy?

45 Questions

46

47

48

Download ppt "Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.

7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research.

Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
VIS-À-VIS CRYPTOGRAPHY : PRIVATE AND TRUSTWORTHY IN-PERSON CERTIFICATIONS IAN MIERS*, MATTHEW GREEN* CHRISTOPH U. LEHMANN †, AVIEL D. RUBIN* *Johns Hopkins.

VIS-À-VIS CRYPTOGRAPHY : PRIVATE AND TRUSTWORTHY IN-PERSON CERTIFICATIONS IAN MIERS*, MATTHEW GREEN* CHRISTOPH U. LEHMANN †, AVIEL D. RUBIN* *Johns Hopkins.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2004 -

IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.

Similar presentations

Ads by Google