Download presentation
Presentation is loading. Please wait.
1
Anonymous Credentials Gergely Alpár Collis – November 24, 2011
2
November 24, 2011. (Collis)G. Alpár: Anonymous credentials2 Crypt assumptions
3
November 24, 2011. (Collis)G. Alpár: Anonymous credentials3 Crypt assumptions
4
November 24, 2011. (Collis)G. Alpár: Anonymous credentials4 My assumptions Modular computation: addition, multiplication Public-key cryptography (PKI) Cryptographic hash function Concatenation
5
November 24, 2011. (Collis)G. Alpár: Anonymous credentials5 Overview Zero-knowledge proof of knowledge Credentials Discrete logarithm preliminaries U-Prove RSA preliminaries Idemix Comparison
6
November 24, 2011. (Collis)G. Alpár: Anonymous credentials6 Zero-knowledge proofs
7
November 24, 2011. (Collis)G. Alpár: Anonymous credentials7 Current practice I know the password! I don’t believe you. It’s wachtw0ord2011 Yes, indeed.
8
November 24, 2011. (Collis)G. Alpár: Anonymous credentials8 Zero-knowledge proof I know the secret! I don’t believe you. I can prove it. I'll believe it when I see it. No, I don’t show it, but I’ll convince you that I know it. A hard problem
9
November 24, 2011. (Collis)G. Alpár: Anonymous credentials9 Waldo and ZK
10
November 24, 2011. (Collis)G. Alpár: Anonymous credentials10 Where’s Waldo? Source: findwaldo.com // The Gobbling Gluttons Idea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999
11
November 24, 2011. (Collis)G. Alpár: Anonymous credentials11
12
November 24, 2011. (Collis)G. Alpár: Anonymous credentials12
13
November 24, 2011. (Collis)G. Alpár: Anonymous credentials13
14
November 24, 2011. (Collis)G. Alpár: Anonymous credentials14
15
November 24, 2011. (Collis)G. Alpár: Anonymous credentials15 ZK – Ali baba’s cave
16
November 24, 2011. (Collis)G. Alpár: Anonymous credentials16 Credentials
17
November 24, 2011. (Collis)G. Alpár: Anonymous credentials17 Credential flow
18
November 24, 2011. (Collis)G. Alpár: Anonymous credentials18 Anonymity requirements Untraceability Multi-show unlinkability Selective disclosure Attribute property proof Revocation by user Revocation by issuer Age > 18 Valid
19
November 24, 2011. (Collis)G. Alpár: Anonymous credentials19 High-level approaches Every time: issuing before showing (U-Prove, 1999) – Untraceability Showing with zero-knowledge proof (Idemix, 2001) – Untraceability and unlinkability Randomize (self-blindable, 2001) – Unlinkability and untraceability
20
November 24, 2011. (Collis)G. Alpár: Anonymous credentials20 History of anonymous credentials 197019801990 20002010 1976: Public-key crypto (Diffie & Hellman) 1978: RSA 1981: Digital pseudonym (Chaum) 1985: Zero- knowledge proof (GMR) 1986: Non-interactive ZK (Fiat & Shamir) 1990-91: Schnorr identification and signature 1999: U-Prove crypto (Brands) 2001: Idemix crypto (Camenisch & Lysyanskaya) 2002: Idemix JAVA implementation 2009: Light-weight Idemix impl. (IBM) 2010: Microsoft’s U-Prove impl. 2010-14: ABC4Trust (IBM & MS)
21
November 24, 2011. (Collis)G. Alpár: Anonymous credentials21 Discrete logarithm – preliminaries
22
November 24, 2011. (Collis)G. Alpár: Anonymous credentials22 Modular computation mod n axax log a x = 14 mod 47 7 3 = 343 = 7. 47 + 14 log 7 14 = 3 mod 47
23
November 24, 2011. (Collis)G. Alpár: Anonymous credentials23 10 1 10 2 10 3 10 4 10 x mod 53 x Modular exponentiation 10 13
24
November 24, 2011. (Collis)G. Alpár: Anonymous credentials24 log 10 24 = ? mod 53 10 x mod 53 x Discrete logarithm (p = 53, q = 13)
25
November 24, 2011. (Collis)G. Alpár: Anonymous credentials25 Discrete logarithm (p = 389, q =97) 13 x mod 389 x log 13 193 = ? mod 389
26
November 24, 2011. (Collis)G. Alpár: Anonymous credentials26 p ~ 2 1024, q ~ 2 160 120647512938908028867388901435622501660544582652084763778469179795603 511596928068284302347645679661284502756586088182980185380205485840303 823342758131447025760358124071773512320456087558761236652680084522358 687865972828438154299478474984622198115039866220934797393671281602442 459774704328099491586290681366721 842531452715241719233458597619542522728958116591 = 549086002740084701984486640336450162789290096927294601835316615972459 239908386292992812505706497044670749985364914810890131478405569222611 998191174703524387268890351309405818164593116113374307910637605590625 799535054196582901639260509036543087612796546426668918067881782691147 99030238674475936287917164274641 (mod 147540829457233765072451123330814771849279870508740658191364766390571 127595133276091294946062334381927384270351919254939797952329145575009 188956176344993292905052474988906261438800251337646245695529118629813 762877963253295780055957721171296243452181910303437299543284160580397 044072404446659484077705433238843) g b = h (mod p) where the order of g is q
27
November 24, 2011. (Collis)G. Alpár: Anonymous credentials27 Efficiently computable Random numbers – 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8, 8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9 Modular addition and multiplication – a. b + c (mod n) Modular exponentiation – 3 26 = 3 (11010) = 3 2. 3 8. 3 16 = 3 (mod 11) 3 2 = 9 mod 11 3 8 = (((9) 2 ) 2 mod 11 = 5 mod 11 3 16 = 5 2 mod 11 = 3 mod 11
28
November 24, 2011. (Collis)G. Alpár: Anonymous credentials28 ZK as a basic building block Zero-knowledge (ZK) proof of knowledge Schnorr identification Schnorr signature U-Prove issuance Blind signature U-Prove showing
29
November 24, 2011. (Collis)G. Alpár: Anonymous credentials29 U-Prove
30
November 24, 2011. (Collis)G. Alpár: Anonymous credentials30 Crypt assumptions Discrete logarithm assumption
31
November 24, 2011. (Collis)G. Alpár: Anonymous credentials31 Schnorr identification Complete (P: “If I know, I can convince you.”) Sound (V: “If you don’t know, you cannot convince me.”) Zero-knowledge
32
November 24, 2011. (Collis)G. Alpár: Anonymous credentials32 From outside
33
November 24, 2011. (Collis)G. Alpár: Anonymous credentials33 Simulation Zero-knowledgeness Real communicationSimulated communication
34
November 24, 2011. (Collis)G. Alpár: Anonymous credentials34 Schnorr identification
35
November 24, 2011. (Collis)G. Alpár: Anonymous credentials35 Schnorr identification
36
November 24, 2011. (Collis)G. Alpár: Anonymous credentials36 Non-interactive Schnorr (Fiat—Shamir)
37
November 24, 2011. (Collis)G. Alpár: Anonymous credentials37 Schnorr signature (freshness)
38
November 24, 2011. (Collis)G. Alpár: Anonymous credentials38 Schnorr signature
39
November 24, 2011. (Collis)G. Alpár: Anonymous credentials39 Schnorr blind signature
40
November 24, 2011. (Collis)G. Alpár: Anonymous credentials40 Schnorr blind signature
41
November 24, 2011. (Collis)G. Alpár: Anonymous credentials41 Credential flow Issuing Showing
42
November 24, 2011. (Collis)G. Alpár: Anonymous credentials42 DL representation
43
November 24, 2011. (Collis)G. Alpár: Anonymous credentials43 Brands’ issuing protocol (U-Prove)
44
November 24, 2011. (Collis)G. Alpár: Anonymous credentials44 Brands’ showing protocol (U-Prove)
45
November 24, 2011. (Collis)G. Alpár: Anonymous credentials45 Certain attributes are revealed Others are proven in the token but remaining hidden R Selective disclosure (U-Prove)
46
November 24, 2011. (Collis)G. Alpár: Anonymous credentials46 Selective disclosure (U-Prove)
47
November 24, 2011. (Collis)G. Alpár: Anonymous credentials47 RSA – preliminaries
48
November 24, 2011. (Collis)G. Alpár: Anonymous credentials48 Crypt assumptions Integer factorization is hard
49
November 24, 2011. (Collis)G. Alpár: Anonymous credentials49 RSA signature – recap
50
November 24, 2011. (Collis)G. Alpár: Anonymous credentials50 Strong RSA assumption Integer factorization np, q RSA problem c, em Strong RSA problem cm, e c = m e (mod n)
51
November 24, 2011. (Collis)G. Alpár: Anonymous credentials51 Idemix – selective disclosure
52
November 24, 2011. (Collis)G. Alpár: Anonymous credentials52 Camenisch—Lysyanskaya signature
53
November 24, 2011. (Collis)G. Alpár: Anonymous credentials53 Idemix issuing protocol (CL) * * without intervals Plus: freshness with nonces! SPKs
54
November 24, 2011. (Collis)G. Alpár: Anonymous credentials54 Randomized CL-signature
55
November 24, 2011. (Collis)G. Alpár: Anonymous credentials55 Idemix showing protocol * * without intervalsPlus: freshness with a nonce! SPK
56
November 24, 2011. (Collis)G. Alpár: Anonymous credentials56 CL showing: selective disclosure * * without intervals Plus: freshness with a nonce! SPK
57
November 24, 2011. (Collis)G. Alpár: Anonymous credentials57 U-Prove vs. Idemix
58
November 24, 2011. (Collis)G. Alpár: Anonymous credentials58 Comparison of functionalities
59
November 24, 2011. (Collis)G. Alpár: Anonymous credentials59 Performance (client)
60
November 24, 2011. (Collis)G. Alpár: Anonymous credentials60 U-Prove selective disclosure W. Mostowski, P. Vullers: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards
61
November 24, 2011. (Collis)G. Alpár: Anonymous credentials61 Future of anonymous credentials… ABC4Trust NSTIC (discussion by Francisco Corella) W3C Identity in the browser
62
November 24, 2011. (Collis)G. Alpár: Anonymous credentials62 Questions? Gergely Alpar gergely@cs.ru.nl www.cs.ru.nl/~gergely
Similar presentations
